Pre-auth OS Command Injection on SUNNET WMPro
Current Description
The WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". This affects many eLearning system of governments, organizations, companies and universities. The target server can be exploited without authentication.
Details
The injection point is basePath parameter in "/teach/course/doajaxfileupload.php".
We execute OS Command via basePath paramemer without authentication.
Description
We can execute OS Command without authentication and upload the webshell to the target server.
Systems Affected
Compromised target servers with web shells uploaded.
Affected files
http://[Target Domain]/teach/course/doajaxfileupload.php
Contributor
- Tony Kuo (CHT Security)
- Tree Chiu (CHT Security)