CVE-2022-39179 College Management System v1.0 - Authenticated remote code execution

CVE-2022-39179 College Management System v1.0 - Authenticated remote code execution

This is how the server serves .php files:

In the student.php file, in order to bypass the filters, there is a SQL Injection that reads from $_POST array. By reading the $_POST array, we can inject our own commands. In this case, we inject the code that will download and run our code from the server.

Code that runs on server:

An admin user can upload .php file, so that it can be accessed by students.

An admin user can upload .php file, so that it can be accessed by students.

Example of the uploaded .php file:

As you can see, there is the code that downloads and runs our code on the server.

About the server: An attacker can connect to the server via any browser and software.

Remember that this report is only a summary of the findings. I suggest that you conduct your own due diligence. If you discover something else in the server, feel free to contact me.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe