The vulnerability exists in the file upload functionality of the [Product Name]. The application fails to properly validate file uploads, allowing attackers to upload and execute arbitrary PHP files.
Attackers can exploit this vulnerability by logging in to a user account (e.g., [email protected]), navigating to the "Lodge Complaint" section, and uploading a malicious PHP file. By intercepting the upload request with tools like Burp Suite, attackers can modify the content of the PHP file to contain code that executes system commands. Upon successful upload, attackers can trigger the execution of the uploaded PHP file by viewing the details of the complaint and choosing the uploaded file, leading to remote code execution on the server.
Accessing the Vulnerable Function:
Exploiting the Vulnerability:
<?php system($_GET['torada']); ?>
).Triggering Remote Code Execution:
connect.php
, as demonstrated in the video.whoami
and dir
as shown at the video [6cb49487-ade4-4833-8596-ff90e42af204.mp4](<https://prod-files-secure.s3.us-west-2.amazonaws.com/d243d6db-bde7-47a3-8189-a6cf2583781e/c734dade-1613-43eb-8a6e-b32126a9c5ca/6cb49487-ade4-4833-8596-ff90e42af204.mp4>)
The impact of this vulnerability includes: