Simple College Website 1.0 — Unauthenticated Arbitrary File Upload RCE
Simple College Website 1.0 was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution.
Root cause Analysis and Hacking
Let’s explore the source code and find the cause for the Vulnerability.
Line:277 extracts the parameters from the POST request. After that, file_put_contents() function is used to create a file using the $page_content. Here, there is no checking for filename or malicious content.
Therefore, it is possible to create any file with any content using this function. For example, php webshell.
Now, let’s find out the uri which calls this function.
The function save_page can be called from the manage_page.php on UI.
Using the Burp to see the request and response,
1 in the output represents the success of the operation.
Let’s change the filename and page_content in the request to create a php file :)
Now, we gonna call the proof.php to see the output.
This proves that the RCE is successful.
Another Important observation is that, it is possible to create arbitrary file without authenticating to the admin portal as the code is not checking for it.
Hence, it will be an unauthenticated arbitrary file creation vulnerability.
- Authentication of requests made by the user.
- Checking for filename when creating it.
- Input sanitisation and validation.