| 제목 | code-projects Student Crud Operation In PHP V3.3 Remote Code Execution (via Arbitrary File Upload) |
|---|
| 설명 | - Vulnerability: Unauthenticated Arbitrary File Upload leads to Remote Code Execution (CWE-434 / CWE-94).
- Affected components: add.php and edit.php. Evidence shows both endpoints write user-supplied files directly into a web-accessible directory without extension/MIME/content validation:
- `add.php` uses move_uploaded_file() to save files under upload_images/ before attempting an INSERT; even if the INSERT fails with “Data not insert” due to schema mismatch, the file has already been saved.
- `edit.php` saves the uploaded file via move_uploaded_file() after a successful UPDATE and does not validate the file type.
- Reproduction: Use the “Add New Student” modal in index.php to upload a PHP payload (e.g., webshell.php). Submit the form. Despite seeing “Data not insert” (caused by schema mismatch: add.php references u_state which is absent in the table), the file is still stored in upload_images/. Then visit {BASE_URL}/Student-Registration-Crud-Operation/upload_images/webshell.php and observe execution.
- Validation result: Successfully connected to the uploaded webshell at http://localhost/Student-Registration-Crud-Operation/upload_images/webshell.php and executed commands; whoami returned “kanten”, proving RCE. The environment shows Windows 10 / PHPStudy / PHP 7.3.4 and DocumentRoot at C:\phpstudy_pro\ WWW .
- Impact: Full server compromise (command execution, file read/write, DB access), leading to complete confidentiality, integrity, and availability loss. CVSS v3.1 (estimate): AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Critical).
- Mitigations: Strict allow-list for extensions (images only) and MIME + content checks (e.g., getimagesize/imagetype); randomize file names and store outside the web root or in a directory with script execution disabled; enforce authentication/authorization and CSRF for uploads; limit file size; sanitize names; perform server-side validation; log and alert on suspicious uploads. Mitigation priority: <5>.
- External links:
- Project homepage: https://code-projects.org/student-crud-operation-in-php-with-source-code/
- Source download page: https://download.code-projects.org/details/c4836779-1828-4e2b-95c2-e027096314c6 |
|---|
| 원천 | ⚠️ https://github.com/romatdibrohiksnov/vulndb.com/blob/main/Student-Registration-Crud-Operation%20Unauthenticated%20Arbitrary%20File%20Upload%20leads%20to%20Remote%20Code%20Execution/Student-Registration-Crud-Operation%20Unauthenticated%20Arbitrary%20File%2 |
|---|
| 사용자 | px_kanten (UID 90960) |
|---|
| 제출 | 2025. 09. 29. AM 10:20 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 06. AM 08:19 (7 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 327232 [code-projects Student Crud Operation 까지 3.3 Add Student Page/Edit Student Page add.php move_uploaded_file 권한 상승] |
|---|
| 포인트들 | 20 |
|---|