Skip to content

lohyt/Code-execution-via-vulnerable-file-upload-functionality-found-in-Student-Attendance-Management-Syste

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2021-45865

Code-execution-via-vulnerable-file-upload-functionality-found-in-Student-Attendance-Management-System

Description: Code execution via vulnerable file upload functionality found in Student Attendance Management System from Sourcecodester website.

[Additional Information] There is a hidden endpoint site_settings. The endpoint might be hidden from the user end but an attacker could easily enumerate by directory brute forcing. In the endpoint site_settings admin can update site settings and also can upload an image. This parameter is vulnerable and it lets the attacker upload any malicious file, thereby leading to code execution. Though there is a feature of adding some random digits at the start of the file while saving to the database, the attacker can easily find the path of the file by brute forcing. There are tools where an attacker can perform a brute force specific with the extension they upload, in this case, adding random digits as prefix alone won't be sufficient. To remediate the issue strong file upload restrictions have to be implemented. The checks should be for file extension, MIME type, magic number, null byte. To make it even tougher, if the file name that the user uploads is shell the file is being stored as randomnumer_shell.php If the original name could be discarded while storing and instead if the file is saved with random number alone it would become tougher for the attacker to enumerate. The file upload functionality is one of the most critical functionality and to know more about the attacks, remediation and secure practices please check here https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

[Vulnerability Type] Code execution via vulnerable file upload functionality.

[Vendor of Product] https://www.sourcecodester.com/

[Affected Product Code Base] Student Attendance Management System

[Affected Component] http://localhost/student_attendance/index.php?page=site_settings

[Attack Type] Remote

[Impact Information Disclosure] true

[Attack Vectors] Steps to reproduce: Go to url http://localhost/student_attendance/index.php?page=site_settings Save this code with extension .php and upload it The file will be saved in the folder localhost/student_attendance/assets/uploads We can execute arbitrary comamnds in the format http://localhost/student_attendance/assets/uploads/1640374020_shell.php?c=<command_goes_here> Example for the code execution http://localhost/student_attendance/assets/uploads/1640374020_shell.php?c=dir

[Discoverer] M Lohith

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published