Exploits / Vulnerability Discovered : 2020-05-07 |
Type : webapps |
Platform : php
This exploit / vulnerability Pisay online elearning system 1.0 remote code execution is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Pisay Online E-Learning System 1.0 - Remote Code Execution
# Exploit Author: Bobby Cooke
# Date: 2020-05-05
# Vendor Homepage: https://www.sourcecodester.com/php/14192/pisay-online-e-learning-system-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/e-learningsystem_0.zip
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
# Description: Pisay Online E-Learning System v1.0 - SQLi Auth Bypass + Remote Code Execution (RCE)
# Vulnerable Source Code:
# /e-learningsystem/admin/login.php
# 121 $email = trim($_POST['user_email']);
# 122 $upass = trim($_POST['user_pass']);
# 123 $h_upass = sha1($upass);
# 132 $user = new User();
# 134 $res = $user::userAuthentication($email, $h_upass);
# /e-learningsystem/include/accounts.php
# 3 class User {
# 23 static function userAuthentication($email,$h_pass){
# 25 $mydb->setQuery("SELECT * FROM `tblusers` WHERE `UEMAIL` = '". $email ."' and `PASS` = '". $h_pass ."'");
# /e-learningsystem/admin/modules/lesson/edit.php
# 6 @$id = $_GET['id'];
# 7 if($id==''){
# 10 $lesson = New Lesson();
# 11 $res = $lesson->single_lesson($id);
# /e-learningsystem/include/lessons.php
# 4 class Lesson {
# 5 protected static $tblname = "tbllesson";
# 35 function single_lesson($id=0){
# 37-38 $mydb->setQuery("SELECT * FROM ".self::$tblname." Where LessonID= '{$id}' LIMIT 1");