Hi All,
I am Maloy Roy Orko.
CVE Number: In Review
CWE : 94
Recently in one of my pentest research, I found a Real Estate Management System By scriptandtools which is an open source project using native PHP.
Curious to explore its functionalities, I downloaded and set it up in my local system.
After fiddling with the source code, I found that it did not have any kind of File Extension or Upload protection In register.php file.
It can lead into:
- Malware Distribution
- Remote Code Execution (RCE)
- Data Breach
- Denial of Service (DoS)
- Web Shell Installation
- Bypassing Security Controls
- Reputation Damage
The Main Thing Is,If any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too.Thats why I am trying to inform everyone about this.
Title of the Vulnerability:
Real Estate Management System V 1.0 | User Image Upload - register.php | Remote Code Execution| Found By Maloy Roy Orko
Vulnerability Class: Remote Code Execution Via Unrestricted File Upload
Product Name: Real Estate Management System
Vendor: https://github.com/scriptandtools/
Vulnerable Product Link: https://github.com/scriptandtools/Real-Estate-website-in-PHP
Vulnerable File/Component: register.php
Technical Details & Description: The application source code is coded in a way which allows Unrestricted File Upload and Remote Code Execution.
Observation & Exploitation:
Let's see the source code?
File - (register.php)
It shows,No Protection Against Unrestricted File Upload .
So,We don't need even any bypass 😉
So upload a shell and then deface the system 😏😎
For this, We Need To Upload Shell Into PP Here:
http://192.168.0.101:8080/reali/register.php
> Upload Shell Instead of User Image
So,Lets Upload shell named minis.php there.
When you are done,Just Hit this URL with the shell name:
http://192.168.0.101:8080/reali/admin/user/shell-name
For me:
http://192.168.0.101:8080/reali/admin/user/minis.php
Shell Location: http://192.168.0.101:8080/reali/admin/user/shell-name
You can see that there is no defense or filter against Unrestricted File Upload.Normally They are getting Uploaded and then we can access shell.php here:
http://192.168.0.101:8080/reali/admin/user/
So, We Found Remote Code Execution via Unrestricted File Upload Vulnerability & Shell Upload Done Too 🤝
Risks of RCE:
- Unauthorized Access: Attackers can gain control over systems and applications.
- Data Breaches: Sensitive data can be accessed, stolen, or manipulated.
- Malware Deployment: Attackers can install malicious software, including ransomware.
- System Compromise: Complete takeover of affected systems, leading to further exploitation.
- Network Propagation: RCE vulnerabilities can allow attackers to move laterally within a network.
- Denial of Service: Attackers can disrupt services, making systems unavailable to legitimate users.
Impacts of RCE:
- Financial Losses: Costs associated with recovery, remediation, and potential legal fees.
- Reputational Damage: Loss of customer trust and brand reputation due to security incidents.
- Regulatory Fines: Non-compliance with data protection regulations can lead to significant penalties.
- Data Loss: Permanent loss of critical data and intellectual property.
- Operational Disruption: Downtime and interruptions in business operations.
- Legal Consequences: Potential lawsuits from affected parties or customers.
Conclusion :-
The main aim of this article is to show that if any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too. But I also hope that it helps to give you ideas of how combinng attacks can make them much more potent.