# Title: Client Manager Pro v2.5.1 WebShell Upload # Author: QUIXSS # Date: 2019-04-17 # Software: Client Manager Pro v2.5.1 # Technical Details & Description: # Weak file upload filtering has been discovered in the «Client Manager Pro» web-application. Current version of this web-application is 2.5.1. # Demo Website: # https://codecanyon.net/item/client-manager-pro/21701321 # http://crm.clustercoding.com/demo/ # Login: admin@mail.com, Password: demo # PoC Upload: # http://crm.clustercoding.com/demo/public/uploaded_files/1555552176.php # PoC [WebShell Upload]: # Authorize on the demo website for tests: http://crm.clustercoding.com/demo/, login is admin@mail.com and passowrd is demo. There is two ways how we allowed to upload any .PHP file we want. # The first one is via «File Upload» page ( http://crm.clustercoding.com/demo/folders ), add new folder or use any existed, it doesn't matter. Press the «Add File» button and fill in the form. .PHP file type is not allowed to upload, so change file type from .PHP to .PHP5 and upload your WebShell or other .PHP file u want. After successful upload your file will be on this directory waiting for your commands: http://crm.clustercoding.com/demo/public/uploaded_files/ # The second one is via users profile page, works for admin account and basic user accounts ( http://crm.clustercoding.com/demo/profile/user-profile ): choose as «Profile Picture» your .PHP5 file (change file type of your WebShell from .PHP to .PHP5) and press the «Update Profile» button, then «inspect» profile picture. Your uploaded file will be here -> http://crm.clustercoding.com/demo/public/profile_picture/