Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE

vendor:

Responsive E-Learning System

by:

Kshitiz Raj (manitorpotterk)

9.8

CVSS

HIGH

Unrestricted File Upload to RCE

434

CWE

Product Name: Responsive E-Learning System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:responsive_e-learning_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10/Kali Linux

2020

Responsive E-Learning System 1.0 – Unrestricted File Upload to RCE

An attacker can exploit the unrestricted file upload vulnerability in the Responsive E-Learning System 1.0 to gain remote code execution. The attacker can login to the application with admin credentials, click on Student or go to http://localhost/elearning/admin/student.php, click on Add Student and fill the required things. In image upload any php reverse shell. Then, the attacker can visit http://localhost/elearning/admin/uploads/ and select the uploaded PHP web shell.

Mitigation:

Restrict the file types that can be uploaded to the application and validate the file type before uploading.

Source

Exploit-DB raw data:

# Exploit Title: Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE
# Date: 2020-12-24
# Exploit Author: Kshitiz Raj (manitorpotterk)
# Vendor Homepage: https://www.sourcecodester.com/php/5172/responsive-e-learning-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=5172&title=Responsive+E-Learning+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10/Kali Linux

Step 1 -  Login to the application with admin credentials.
Step 2 - Click on Student or go to http://localhost/elearning/admin/student.php
Step 3 - Click on Add Student and fill the required things.
Step 4 - In image upload any php reverse shell.
Step 5 - Visit "http://localhost/elearning/admin/uploads/" and select your uploaded PHP web shell.