This is how the server serves .php files:
In the student.php file, in order to bypass the filters, there is a SQL Injection that reads from $_POST array. By reading the $_POST array, we can inject our own commands. In this case, we inject the code that will download and run our code from the server.
Code that runs on server:
An admin user can upload .php file, so that it can be accessed by students.
An admin user can upload .php file, so that it can be accessed by students.
Example of the uploaded .php file:
As you can see, there is the code that downloads and runs our code on the server.
About the server: An attacker can connect to the server via any browser and software.
Remember that this report is only a summary of the findings. I suggest that you conduct your own due diligence. If you discover something else in the server, feel free to contact me.
Timeline
Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/18/2022 18:27:00 UTC