Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated)

vendor:

Artworks Gallery

by:

Shahrukh Iqbal Mirza

8.8

CVSS

HIGH

Arbitrary File Upload RCE

434

CWE

Product Name: Artworks Gallery

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: CVE-2020-28688

CPE: a:code-projects.org:artworks_gallery:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 (XAMPP Server)

2020

Artworks Gallery 1.0 – Arbitrary File Upload RCE (Authenticated)

Authenticate as a user (or signup as an artist). Click the drop down for your username and go to My ART+BAY. Click on My Artworks > My Available Artworks > Add an Artwork. Click on any type of artwork and instead of the picture, upload your php-shell > click on upload. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>' and get command execution.

Mitigation:

Ensure that the application is configured to only allow the upload of files with the expected extensions and types. Validate the file type and extension of the uploaded file before it is stored on the server.

Source

Exploit-DB raw data:

# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated)
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28688
---------------------
Proof of Concept:
---------------------
1. Authenticate as a user (or signup as an artist)
2. Click the drop down for your username and go to My ART+BAY
3. Click on My Artworks > My Available Artworks > Add an Artwork
4. Click on any type of artwork and instead of the picture, upload your php-shell > click on upload
5. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>' and get command execution