[PHPMaker] Arbitrary Upload File via Insecure Direct Object References

Hi All

This post is my first post about web security application I’ll talk about my first experience in scan and analysis open-source PHPMaker .


PHPMaker : is a powerful automation tool that can generate a full set of PHP quickly from MySQL, PostgreSQL, Microsoft Access, Microsoft SQL Server and Oracle databases. Using PHPMaker, you can instantly create web sites that allow users to view, edit, search, add and delete records on the web.


I chose this project for pen-testing when I found private program in HackerOne using it in subdomain’s so I started looking about project in Github after my search I knew original company it’s hkvstore for software products.

Analysis steps

  • I’ve downloaded the demo version for product .
  • I’ve installed it on localhost .
  • I’ve access to path login dashboard and looked to source page .
  • I’ve see file php under name ewlookup10.php.
  • after check files script turns out it’s file for upload files called ewupload.php linked with ewlookup10.php
Missing post data. ! in this moment I had an idea in my mind can I execute something outside dashboard , so let's see file ewupload.php
in line #29 and #143 there is values for upload files without protection session access so can I upload files as shell or cmd script without login in dashboard ?
File ewlook10.php connect with file ewupload.php via method post

let’s Hacking

  • Login as admin in dashboard at localhost .
  • Upload file from Add Server an extension photo .
  • Catch request upload by Burp Suite
  • Change extension to .php and content type to

Proof of Concept

First request with content type image/jpeg in localhost
Second request with content type application/x-php in localhost
Third request with content type application/x-php in host victim

You’ll find the problem with the path of the file because when the file is uploaded it will be saved in /upload/temphash/xserver_file .


Take temp_hash or PHPSESSID file-request that uploaded at localhost to victim host because it's the same value, also you can create files or folders via injection PHPSESSID


Done! Thanks for reading. Let me know what you think tweet me @hussain_0x3c

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.