Php Inventory - Arbitrary File Upload

EDB-ID:

43069

CVE:

2017-15990

EDB Verified:

Author:

Ihsan Sencan

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2017-10-30

Vulnerable App:

# # # # # 
# Exploit Title: Php Inventory & Invoice Management System - Arbitrary File Upload
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://savsofteproducts.com/
# Software Link: http://www.phpinventory.com/
# Demo: http://phpinventory.com/phpinventory_demo/ 
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15990
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# 
# The vulnerability allows an users upload arbitrary file....
# 
# Vulnerable Source:
#
# .............1
# if($_FILES['userfile']['name']!=''){	
#	$target = 'images/user_pics/';
#	$targets = $target . basename( $_FILES['userfile']['name']);
#	$docadd=($_FILES['userfile']['name']);
#	if(move_uploaded_file($_FILES['userfile']['tmp_name'], $targets))
#		{
#			$pfilename=$_FILES['userfile']['name'];
#			$filename=time().$pfilename;
#			$new_path=$target.$filename;
#			rename($targets,$new_path);
#		}
#
#}else{
#$filename=$_POST['user_picname'];
#}
# .............2,3,4
# $target = 'images/logo/';
# $target = 'images/product_images/';
# $target = 'images/service_providers/';
# Etc..
# .............
#
# Proof of Concept: 
# 
# http://localhost/[PATH]/index.php/dashboard/edit_myaccountdetail/
# 
# http://localhost/[PATH]/images/user_pics/[...].php
# 
# Etc..
# # # # #

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services