Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Pre-auth OS Command Injection on SUNNET WMPro

Current Description

The WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". This affects many eLearning system of governments, organizations, companies and universities. The target server can be exploited without authentication.

Details

The injection point is basePath parameter in "/teach/course/doajaxfileupload.php".

We execute OS Command via basePath paramemer without authentication.

Description

We can execute OS Command without authentication and upload the webshell to the target server.

Systems Affected

Compromised target servers with web shells uploaded.

Affected files

http://[Target Domain]/teach/course/doajaxfileupload.php

Contributor

  • Tony Kuo (CHT Security)
  • Tree Chiu (CHT Security)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.