- Author: YU-HSIANG HUANG, YUNG-HAO TSENG, Eddie TC CHANG
- Contact: huang.yuhsiang.phone@gmail.com; 0xuhaw@gmail.com; eddietcchang@gmail.com
- Product: webERP 4.15
- Last updated: 2018/05/21
- Official Website: http://www.weberp.org/
- Github: https://github.com/webERP-team/webERP
The Z_CreateCompanyTemplateFile.php
have Incorrect Access Control vulnerability that could overwrite existing SQL file at the target web.
- Assume we want to overwrite the
/weberp/sql/mysql/country_sql/demo.sql
. Here can see the target file size is 1.2MB. - View the source code of
Z_CreateCompanyTemplateFile.php
, we can know the original location that create new SQL file should under the/weberp/companies/(DatabaseName)/reports/
path. - So, we select
WebERP Demo Company
and user/password isadmin/weberp
to login, then clickUtilities->Create new company template SQL file and submit to webERP
. - Because of we want to overwrite the SQL file which name is
demo
, we inputdemo
in the field. - We set the BurpSuite to intercept packet before submit, then click
Create Template and Email
button and edit value of parameterTemplateName
.
Payload:../../../sql/mysql/country_sql/demo
- Check the
/weberp/sql/mysql/country_sql/demo.sql
file size. Here can see the target file size is changed.(From 1.2M to 44K)