Online Student's Management System 1.0 - Remote Code Execution (Authenticated)

vendor:

Online Student's Management System

by:

Akıner Kısa

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Online Student's Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:online_student's_management_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: XAMPP

2020

Online Student’s Management System 1.0 – Remote Code Execution (Authenticated)

An authenticated user can upload a malicious shell file to the 'my-profile.php' page of the Online Student's Management System 1.0. The malicious shell file can then be accessed at the 'staffphoto/shell.php' URL.

Mitigation:

Ensure that user input is properly validated and sanitized before being used in the application.

Source

Exploit-DB raw data:

# Exploit Title: Online Student's Management System 1.0 - Remote Code Execution (Authenticated)
# Google Dork: N/A
# Date: 2020/10/18
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://www.sourcecodester.com/php/14490/online-students-management-system-php-full-source-code-2020.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/studentrecord_0.zip
# Version: 1.0
# Tested on: XAMPP 
# CVE : N/A

Proof of Concept:

1 - Go to http://localhost/studentrecord/ url, click "click here to sign in" text and login with the 070101:070101 information. 

2 - Then go to http: //localhost/studentrecord/my-profile.php and upload your shell file from the upload new photo section and click the update button.

3 - Finally, open your shell in http://localhost/studentrecord/staffphoto/shell.php