Description

Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish this.

https://github.com/dmpop/mejiro is vulnerable to command injection as shown below:

Proof of Concept

Resource: upload.php Variable: $_FILES Snippet:

<?php
    if (isset($_POST['submit'])) {
        // count total files
        $countfiles = count($_FILES['file']['name']);
        // looping all files
        for ($i = 0; $i < $countfiles; $i++) {
            $filename = $_FILES['file']['name'][$i];
            // upload file
            move_uploaded_file($_FILES['file']['tmp_name'][$i], $upload_dir . DIRECTORY_SEPARATOR . $filename);
        }
    }
?>

Payload

1. Create a file called info.php with the following content:

<?php
    phpinfo();
?>

2. Go to http://localhost/mejiro-main/upload.php select info.php
3. Clic upload
4. Go to http://localhost/mejiro-main/photos/info.php and observe phpinfo is executed.

Impact

The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.