This repo explain how to bypass File Upload Restrictions on Koken CMS - 0.22.24 (authenticated)
Koken is a free content management system designed for photographers, designers and artists.
Website: http://koken.me/
Koken CMS is avaiable on Softaculous too: https://www.softaculous.com/apps/cms/Koken
The Koken CMS upload restrictions are based on a list of allowed file extensions (withelist), which facilitates bypass through the handling of the HTTP request via Burp.
After you are logged in to Koken CMS Admin Panel, select the "Import Content" option
As a proof of concept, I created a PHP file with the function phpinfo()
and saved it with a double extension (image.php.jpg)
I selected the image.php.jpg
file and forwarded the request to Burp
In Burp, I changed the file extension to .php
Back in the image library, there is a "Download File" button that shows where the malicious file was saved on the server.
Just access it and confirm the proof of concept.
In this scenario, an attacker could send a reverse shell, for example, in order to compromise the server.