- Exploit Author: zerrr0
- An arbitrary file upload vulnerability in the select attachment function of Online Ordering System By janobe allows attackers to execute arbitrary code via a malicious PHP file.
- Vulnerability file: /ordering/admin/products/controller.php?action=add
- Goto: http://localhost/ordering/admin/
- Login as admin using test credentials: admin/admin
- Goto: http://localhost/ordering/admin/products/
Register New Product-> Upload Attachment
