- Author: YU-HSIANG HUANG, YUNG-HAO TSENG, Eddie TC CHANG
- Contact: huang.yuhsiang.phone@gmail.com; 0xuhaw@gmail.com; eddietcchang@gmail.com
- Product: webERP 4.15
- Last updated: 2018/05/21
- Official Website: http://www.weberp.org/
- Github: https://github.com/webERP-team/webERP
The Z_CreateCompanyTemplateFile.php have Incorrect Access Control vulnerability that could overwrite existing SQL file at the target web.
- Assume we want to overwrite the
/weberp/sql/mysql/country_sql/demo.sql. Here can see the target file size is 1.2MB.
- View the source code of
Z_CreateCompanyTemplateFile.php, we can know the original location that create new SQL file should under the/weberp/companies/(DatabaseName)/reports/path.
- So, we select
WebERP Demo Companyand user/password isadmin/weberpto login, then clickUtilities->Create new company template SQL file and submit to webERP.
- Because of we want to overwrite the SQL file which name is
demo, we inputdemoin the field.
- We set the BurpSuite to intercept packet before submit, then click
Create Template and Emailbutton and edit value of parameterTemplateName.
Payload:../../../sql/mysql/country_sql/demo
- Check the
/weberp/sql/mysql/country_sql/demo.sqlfile size. Here can see the target file size is changed.(From 1.2M to 44K)
