WEBIGniter v28.7.23 File Upload - Remote Code Execution

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-10-09 
## Title: WEBIGniter v28.7.23 File Upload - Remote Code Execution
## Author: nu11secur1ty
## Date: 09/04/2023
## Vendor: https://webigniter.net/
## Software: https://webigniter.net/demo
## Reference: https://portswigger.net/web-security/file-upload


## Description:
The media function suffers from file upload vulnerability.
The attacker can upload and he can execute remotely very dangerous PHP
files, by using any created account before this on this system.
Then he can do very malicious stuff with the server of this application.

## Staus: HIGH-CRITICAL Vulnerability

[+]Simple Exploit:
```PHP
<?php
phpinfo();
?>

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-File-Upload-RCE)

## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-file-upload-rce.html)

## Time spent:
00:15:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


WEBIGniter v28.7.23 File Upload Vulnerability: Remote Code Execution (RCE) Exploitation

On September 4, 2023, cybersecurity researcher nu11secur1ty disclosed a critical vulnerability in WEBIGniter v28.7.23, a popular web application framework used for building dynamic websites and content management systems. The flaw, identified as a File Upload - Remote Code Execution (RCE) vulnerability, enables attackers to upload malicious PHP payloads and execute arbitrary code on the server, potentially leading to full system compromise.

Overview of the Vulnerability

The vulnerability exists within the media function of WEBIGniter, which allows users to upload files such as images, documents, or scripts. However, due to inadequate file validation and improper handling of uploaded content, the system fails to restrict execution of .php files. This oversight creates a direct path for remote attackers to inject and execute malicious code.

Attackers can exploit this flaw using any existing user account—no authentication bypass required. Once authenticated, they upload a crafted PHP file that, upon execution, reveals sensitive server information or allows further exploitation.

Exploit Demonstration

The proof-of-concept exploit provided by nu11secur1ty is simple yet devastating:

This minimal PHP script leverages the built-in phpinfo() function to display detailed information about the PHP environment, including:

  • Server configuration
  • PHP version and extensions
  • Environment variables
  • Installed modules and system paths
  • Security settings and potential misconfigurations

While phpinfo() itself is not inherently malicious, it acts as a diagnostic tool for attackers to gather intelligence. In real-world scenarios, this output can reveal sensitive data such as database credentials, file paths, or weak security configurations—key information for advancing attacks.

Attack Vector and Reproduction Steps

Reproducing the vulnerability requires the following steps:

  1. Access the WEBIGniter demo instance at https://webigniter.net/demo.
  2. Create a user account (registration is open to all).
  3. Navigate to the Media Upload section.
  4. Upload a file with the extension .php (e.g., exploit.php).
  5. Observe the server response—if the file executes, the vulnerability is confirmed.

According to the researcher, the system processes uploaded files without sanitizing or blocking PHP execution, making it trivial to run malicious code.

Impact and Risk Assessment

This vulnerability is classified as HIGH-CRITICAL by the vendor due to its severe implications:

Impact Description
Remote Code Execution Attackers can execute arbitrary commands on the server, including system-level operations.
Data Exfiltration Malicious scripts can read and steal sensitive data from databases, configuration files, or user records.
Privilege Escalation Attackers can gain root access or escalate privileges to control the entire server.
Backdoor Installation Malicious PHP files can be used to install persistent backdoors for long-term access.
Denial of Service (DoS) Resource-intensive scripts can overwhelm the server, causing crashes or unavailability.

Given that WEBIGniter is used in production environments, this vulnerability poses a significant threat to organizations relying on the platform for website management, content delivery, or e-commerce functionality.

Security Best Practices and Mitigations

Developers and administrators must implement the following security controls to prevent such vulnerabilities:

  • File Type Restrictions: Enforce strict file type filtering. Only allow safe extensions (e.g., .jpg, .png, .pdf) and block .php, .phtml, .exe, and other executable formats.
  • Content Inspection: Validate file contents using MIME type checks and file signature analysis (e.g., using fileinfo extension).
  • Execution Isolation: Store uploaded files in a non-executable directory (e.g., outside the web root) and serve them via a separate, secure endpoint.
  • File Renaming: Rename uploaded files to randomized names (e.g., upload_123456789.php) to prevent direct access via predictable paths.
  • Web Application Firewall (WAF): Deploy a WAF to detect and block suspicious file upload patterns and PHP code in requests.

Real-World Exploitation Use Case

Imagine an attacker uploading a PHP file named shell.php with the following code:

This script enables remote command execution via URL parameters. For example:

https://example.com/media/shell.php?cmd=whoami

When executed, the server returns the current user identity, confirming the attacker’s access. Further commands like ls, cat /etc/passwd, or rm -rf / can be issued, allowing full control over the system.

Vendor Response and Remediation

As of the disclosure date, the vendor WEBIGniter.net has not issued an official patch or security advisory. However, users are strongly advised to:

  • Disable the media upload functionality until a patch is released.
  • Review and audit uploaded file handling mechanisms.
  • Update to a secure version of the software, if available.
  • Monitor server logs for suspicious file uploads or unusual command execution.

Until mitigation is applied, the system remains exposed to exploitation.

References and Resources

For deeper analysis and exploit details, refer to:

Security professionals should treat this vulnerability as a high-priority threat and conduct immediate audits of all systems using WEBIGniter v28.7.23.