Skip to content

Instantly share code, notes, and snippets.

What would you like to do?

Pre-auth OS Command Injection on SUNNET WMPro

Current Description

The WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". This affects many eLearning system of governments, organizations, companies and universities. The target server can be exploited without authentication.


The injection point is basePath parameter in "/teach/course/doajaxfileupload.php".

We execute OS Command via basePath paramemer without authentication.


We can execute OS Command without authentication and upload the webshell to the target server.

Systems Affected

Compromised target servers with web shells uploaded.

Affected files

http://[Target Domain]/teach/course/doajaxfileupload.php


  • Tony Kuo (CHT Security)
  • Tree Chiu (CHT Security)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment