Skip to content

Instantly share code, notes, and snippets.

@tonykuo76

tonykuo76/SUNNET WMPro OS Command Injection.md Secret

Last active November 7, 2019 10:28
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tonykuo76/476164af9bc672281b9a3394f01c17f0 to your computer and use it in GitHub Desktop.
Save tonykuo76/476164af9bc672281b9a3394f01c17f0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SUNNET WMPro OS Command Injection.md

Pre-auth OS Command Injection on SUNNET WMPro

Current Description

The WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". This affects many eLearning system of governments, organizations, companies and universities. The target server can be exploited without authentication.

Details

The injection point is basePath parameter in "/teach/course/doajaxfileupload.php".

We execute OS Command via basePath paramemer without authentication.

Description

We can execute OS Command without authentication and upload the webshell to the target server.

Systems Affected

Compromised target servers with web shells uploaded.

Affected files

http://[Target Domain]/teach/course/doajaxfileupload.php

Contributor

  • Tony Kuo (CHT Security)
  • Tree Chiu (CHT Security)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment