Simple College Website 1.0 was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-40087
Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html
Source Code: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip
Root cause Analysis and Hacking
Let’s explore the source code and find the cause for the Vulnerability.
Line:277 extracts the parameters from the POST request. After that, file_put_contents() function is used to create a file using the $page_content. Here, there is no checking for filename or malicious content.
Therefore, it is possible to create any file with any content using this function. For example, php webshell.
Now, let’s find out the uri which calls this function.
The function save_page can be called from the manage_page.php on UI.
Using the Burp to see the request and response,
1 in the output represents the success of the operation.
Let’s change the filename and page_content in the request to create a php file :)
Now, we gonna call the proof.php to see the output.
This proves that the RCE is successful.
Another Important observation is that, it is possible to create arbitrary file without authenticating to the admin portal as the code is not checking for it.
Hence, it will be an unauthenticated arbitrary file creation vulnerability.
PoC
Github link: https://gist.github.com/gowthamaraj/454df3356b1c7ffe2a3eec21e58ba540
Remediation
- Authentication of requests made by the user.
- Checking for filename when creating it.
- Input sanitisation and validation.
Hay Yay!!!
Please give a clap if you found it use full and follow me to get more hacking knowledge.