PoC for Responsive Filemanager < 9.12.0 bypass upload restrictions lead to RCE
When uploading new file we go through function fix_filename: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/upload.php#L112
In this function we have function strip_tags which searches brackets and removes them: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/include/utils.php#L581
So, we can send file with filename lick shell.php<.txt, which will be renamed to shell.php due to function strip_tags.
But, there's additional check of file type by it's content: https://github.com/trippo/ResponsiveFilemanager/blob/9a7411f3eab3b7d8e2c78dcf40b4325bde2c548d/filemanager/upload.php#L101
So, we cannot upload classic php shell <?php system($_GET['c']);?>. But, we can do a little trick: function get_extension_from_mime works based on first several chars of file. So, if we start our payload with several 'a' chars, it can be detected with txt type.
- Intercept upload request with burp suite
- Change filename to
shell.php<.txt
- go to url/source/shell.php?c=<your_command>
