Qualitor Code Injection Vulnerability in getResumo.php Remote Exploitation

A critical code injection vulnerability has been identified in Qualitor Web versions 8.20 and 8.24. The issue arises in the file '/html/st/stdeslocamento/request/getResumo.php', where the 'eval' function is used to execute the 'passageiros' parameter from the request without adequate validation. Although a 'sanitizeEval' function exists, it fails to sufficiently prevent code injection. This vulnerability allows unauthenticated attackers to inject arbitrary PHP code, which is then executed on the server. Exploitation of this flaw could lead to remote code execution, allowing attackers to execute operating system commands, establish reverse shells, and gain unauthorized access to sensitive data, including configuration files and databases. The vulnerability also facilitates lateral movement within the network, potentially leading to a complete compromise of the affected server.

Impact

Successful exploitation allows for code injection, with the injected code executed on the server. This could be leveraged for remote code execution, using functions like system(), exec(), passthru(), or shell_exec() to execute operating system commands. Such access could be used to create reverse shells, unauthorized access to sensitive data, including configuration files and databases, lateral movement within the network, and a full compromise of the affected server.

Reproduction

The vulnerability can be reproduced by sending a request to the 'getResumo.php' file with a manipulated 'passageiros' parameter. The 'eval' function will execute the injected code without proper validation, leading to code execution on the server.