Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-40318 PoC — Webkul QloApps 安全漏洞

Source
https://github.com/3v1lC0d3/RCE-QloApps-CVE-2024-40318
Associated Vulnerability
Title:Webkul QloApps 安全漏洞 (CVE-2024-40318)
Description:Webkul QloApps是Webkul公司的一个酒店预定管理软件。 Webkul QloApps 1.6.0.0版本存在安全漏洞,该漏洞源于存在任意文件上传漏洞。攻击者利用该漏洞通过上传特制的文件执行任意代码。
Description
Remote code execution Vulnerability in QloApps  (version 1.6.0.0)
Readme
# RCE-QloApps-CVE-2024-40318
A remote code execution (RCE) attack allow an attacker run code on a  computer. The ability to execute code could lead  to deploying additional malware or stealing sensitive data or even harm the server.

The remote code execution was discover in Qloapps version 1.6.0.0 while the application was being checked in the administrator panel, in the section “Modules  and services” where is possible to upload a modified module like “mailchimp-for-prestashop”(https://addons.prestashop.com/en/newsletter-sms/26957-mailchimp-for-prestashop.html”), this allowed to evade the php file upload restriction and get a remote code execution by modifing the file “cronjob.php” and accessing to it through the web browser.
File Snapshot

 [4.0K]  /data/pocs/07206532c8c51c9f69b188a2a062a3839bd5f6be
├── [736K]  qloapps--RCE.pdf
└── [ 752]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.