[PHPMaker] Arbitrary Upload File via Insecure Direct Object References
This post is my first post about web security application I’ll talk about my first experience in scan and analysis open-source PHPMaker .
PHPMaker : is a powerful automation tool that can generate a full set of PHP quickly from MySQL, PostgreSQL, Microsoft Access, Microsoft SQL Server and Oracle databases. Using PHPMaker, you can instantly create web sites that allow users to view, edit, search, add and delete records on the web.
I chose this project for pen-testing when I found private program in HackerOne using it in subdomain’s so I started looking about project in Github after my search I knew original company it’s hkvstore for software products.
- I’ve downloaded the demo version for product .
- I’ve installed it on localhost .
- I’ve access to path login dashboard and looked to source page .
- I’ve see file php under name
- after check files script turns out it’s file for upload files called
- Login as admin in dashboard at localhost .
- Upload file from
Add Serveran extension photo .
- Catch request upload by Burp Suite
- Change extension to .php and content type to
- Change host from localhost to http://victim.com/ewupload.php
- Change Referer to victim host .
- File uploaded in victim host .
Proof of Concept
You’ll find the problem with the path of the file because when the file is uploaded it will be saved in /upload/temphash/xserver_file .
PHPSESSID file-request that uploaded at localhost to victim host because it's the same value, also you can create files or folders via injection
Done! Thanks for reading. Let me know what you think tweet me @hussain_0x3c