Authenticated Arbitrary File Upload leading to RCE on Poultry Farm Management System 1.0
Poultry Farm Management System 1.0 allows an authenticated user to upload a PHP file via /Redcock-Farm/farm/product.php. Exploiting this…
Poultry Farm Management System 1.0 allows an authenticated user to upload a PHP file via /Redcock-Farm/farm/product.php. Exploiting this issue allows an attacker to execute malicious commands on the hosted server.
Vendor Homepage: https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html
Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip
Tested on: Ubuntu 20.04.5 LTS + PHP 7.4.3, Apache 2.4.41
Identification
Let’s open the code and see the root cause.
Vulnerable code
In the above code, the move_uploaded_file function does not check for the file type.
Hence, we can upload any file.
Exploitation
let’s create a PHP code using which we can execute code.
upload the file by clicking save,
You will get an alert saying you have successfully registered.
** In case you do not see any file creation, it means that PHP is not able to create files in that directory. Kindly add permission to the deployed folders for it to create files. I used the below command to let PHP create files
sudo chmod 777 -R /var/www/html/
Now, go to the /Redcock-Farm/farm/assets/img/productimages/shell.php endpoint to execute your payload.
Remediation
- Check file type before letting someone upload something.