Authenticated Arbitrary File Upload leading to RCE on Poultry Farm Management System 1.0

Poultry Farm Management System 1.0 allows an authenticated user to upload a PHP file via /Redcock-Farm/farm/product.php. Exploiting this…

Poultry Farm Management System 1.0 allows an authenticated user to upload a PHP file via /Redcock-Farm/farm/product.php. Exploiting this issue allows an attacker to execute malicious commands on the hosted server.

Vendor Homepage: https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html

Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip

Tested on: Ubuntu 20.04.5 LTS + PHP 7.4.3, Apache 2.4.41


Identification

Let’s open the code and see the root cause.

UI for product creation

Vulnerable code

In the above code, the move_uploaded_file function does not check for the file type.

Hence, we can upload any file.


Exploitation

let’s create a PHP code using which we can execute code.

upload the file by clicking save,

You will get an alert saying you have successfully registered.

The product is created

** In case you do not see any file creation, it means that PHP is not able to create files in that directory. Kindly add permission to the deployed folders for it to create files. I used the below command to let PHP create files

sudo chmod 777 -R /var/www/html/

Now, go to the /Redcock-Farm/farm/assets/img/productimages/shell.php endpoint to execute your payload.


Remediation

  1. Check file type before letting someone upload something.