===========================================================================================# Exploit Title: Webiness Inventory 2.3 - 'ProductModel' Arbitrary File Upload# Dork: N/A# Date: 10-02-2019# Exploit Author: Mehmet EMIROGLU# Vendor Homepage: https://sourceforge.net/projects/webinessinventory/files/# Software Link: https://sourceforge.net/projects/webinessinventory/files/# Version: 2.3# Category: Webapps# Tested on: Wamp64, Windows# CVE: CVE-2019-8404# Software Description: Small stock inventory managment application for web.===========================================================================================# POC:# Sign in to admin panel. then go to the inventory tab.
Switch to the products tab and create a new product.
In product image, click the browse button and select a file.
https://i.hizliresim.com/OvrOOn.jpg
When you save the product, the script is loaded with the error file to
the server.for example service unvailable
https://i.hizliresim.com/zjGqD4.jpg
path to the file we uploaded
https://i.hizliresim.com/XMbpp5.jpg
# http://localhost/[PATH]/runtime/ProductModel/[FILE]===========================================================================================
