🖨️ My first RCE
ShiSHcat 🐈
This story took place in the first days of March 2020
In the last days of February 2020, every school in Italy closed because of the COVID-19 outbreak. Schools took some days to setup their online learning system, and my sister school settled for the teaching materials tools in our online grades register.
I never used that feature before, so before finding it I stumbled upon an integration that the register had with a locally made webapp, to store assigments, slides etcetera.
Users seemed to have their own folder, on the main website domain, where they can save the slides and upload files. I still didn't have any kind of vulnerability hunting knowledge, but my brain told me, mayybe it doesn't check the file type, and it lets me upload any kind of file ;)
The website is entirely made in PHP, and as we know, PHP generally works by executing .php files in the website folder. So, what is going to happen if I try to upload a file.php, containing:
<?php echo "test";
I decided to try, since it would likely fail, and if it would work, it's gonna get reported anyway. As you probably have guessed, that was it, there were no checks neither on the upload nor the download, the upload went through as normal, and polling the file in my private directory, it would return test, as a confirmation of our custom PHP getting executed.
The vulnerability was reported to the developer of the app via Facebook, and was fixed as soon as possible by putting an upload extension blocklist. I am still mentioned in the upload page of the service, which is pretty cool since many schools use it.