You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:controllers/page_apply.php in simplejobscript.com SJS <=1.66 is prone to unauthenticated Remote Code Execution by uploading a PHP script as a resume.
Environment:
Version: 1.64
OS: Ubuntu 16.10
Web server: Apache 2.4.18
PHP: 5.6.40
Database: MySQL 5.7.28
URL: /apply
Steps to Reproduce:
1/ Apply for a job and attach a PHP file as your resume
2/ Browse the upload directory http://local.simplejobscript.net/uploads/cvs/
3/ Run the PHP file
Additional information:
If you can't see the content of the upload directory (directory indexing is off), it can be hard to guess the final filename of your malicious resume because of the uniqid generated.
However, you can use one of the multiple SQL injection (CVE-2020-7229) then read the content of the table applicant or use one of the multiples IDOR available to have access to all applications of all companies.
PoC:
The text was updated successfully, but these errors were encountered:
Description:
controllers/page_apply.php
in simplejobscript.com SJS <=1.66 is prone to unauthenticated Remote Code Execution by uploading a PHP script as a resume.Environment:
Version: 1.64
OS: Ubuntu 16.10
Web server: Apache 2.4.18
PHP: 5.6.40
Database: MySQL 5.7.28
URL:
/apply
Steps to Reproduce:
1/ Apply for a job and attach a PHP file as your resume
2/ Browse the upload directory
http://local.simplejobscript.net/uploads/cvs/
3/ Run the PHP file
Additional information:
If you can't see the content of the upload directory (directory indexing is off), it can be hard to guess the final filename of your malicious resume because of the
uniqid
generated.However, you can use one of the multiple SQL injection (CVE-2020-7229) then read the content of the table
applicant
or use one of the multiples IDOR available to have access to all applications of all companies.PoC:
![sjs_file_upload](https://user-images.githubusercontent.com/5347721/72682077-d97e6c00-3ac9-11ea-986a-2dd6ba48d123.png)
The text was updated successfully, but these errors were encountered: