Online ID Generator 1.0 - Remote Code Execution (RCE)

Online ID Generator 1.0 – Remote Code Execution (RCE) Vulnerability Analysis

On August 31, 2023, cybersecurity researcher nu11secur1ty disclosed a critical vulnerability in the Online ID Generator 1.0 web application, exposing a remote code execution (RCE) flaw through a combination of SQL injection and insecure file upload functionality. This vulnerability, rated as HIGH-CRITICAL, allows attackers to bypass authentication, upload malicious PHP payloads, and execute arbitrary code on the server — effectively granting full control over the application environment.

Overview of the Vulnerable Application

The Online ID Generator 1.0 is a simple web-based tool designed to generate unique identifiers for users, typically used in small-scale administrative systems or internal tools. The software was publicly available via SourceCodester, a platform known for hosting open-source code snippets. Despite its simplicity, the application contains multiple security flaws that make it a prime target for exploitation.

Exploitation Path: Bypassing Authentication via SQL Injection

The first step in the attack chain involves exploiting a SQL Injection (SQLi) vulnerability in the login form. The application uses unfiltered user input for authentication queries, making it susceptible to classic injection techniques.

nu11secur1ty' or 1=1#

Explanation: This payload exploits the SQL query logic in the login validation process. The attacker inputs a username that includes a single quote followed by a boolean condition (1=1) and a comment marker (#). The resulting SQL query becomes:

SELECT * FROM users WHERE username = 'nu11secur1ty' OR 1=1#

Since 1=1 is always true, the query returns all user records, effectively bypassing authentication without knowing the correct password. This demonstrates a failure in input sanitization and improper use of dynamic SQL queries.

File Upload Vulnerability: Web Shell Upload

Once authenticated, the attacker gains access to the system’s file upload functionality — specifically, the system logo upload feature. This endpoint accepts file uploads without proper validation, allowing the upload of executable PHP scripts.

Explanation: This PHP script, when uploaded to the server’s /uploads/ directory, executes upon request. The phpinfo() function outputs detailed information about the PHP environment, including server configuration, installed extensions, and environment variables. While harmless in isolation, this serves as a proof-of-concept web shell — a foothold for further exploitation.

Crucially, the application does not validate file extensions, MIME types, or content. This lack of security checks enables attackers to upload malicious payloads such as reverse shells, data exfiltration scripts, or persistent backdoors.

Remote Code Execution (RCE) Demonstration

After uploading the PHP shell, the attacker can trigger execution via a direct HTTP request to the uploaded file’s URL:

http://localhost/id_generator/uploads/1693471560_info.php

Explanation: The filename 1693471560_info.php is dynamically generated based on the upload timestamp. The server treats this as a valid PHP script, executes it, and returns the phpinfo() output. This confirms successful RCE — the attacker can now execute any PHP code on the server from a remote browser.

From this point, attackers can:

• Execute system commands using system() or exec() functions.
• Read sensitive files (e.g., /etc/passwd, database credentials).
• Establish reverse shells via shell_exec() or passthru().
• Upload additional malware or modify application logic.

Security Implications and Risk Assessment

Severity	HIGH-CRITICAL
CVSS Score (Estimated)	9.8 (CVSS v3.1)
Attack Vector	Network (Remote)
Attack Complexity	Low
Privileges Required	None (unauthenticated)
Impact	Complete system compromise

Due to the low attack complexity and lack of required privileges, this vulnerability is highly exploitable in real-world scenarios. It is particularly dangerous when deployed on publicly accessible servers or within internal networks with weak firewall rules.

Best Practices for Mitigation

To prevent such vulnerabilities, developers and administrators must implement the following security controls:

• Input Validation: Use parameterized queries or prepared statements to prevent SQL injection.
• File Upload Restrictions: Enforce strict file type checks (e.g., only allow .jpg, .png), disable execution of uploaded files, and store uploads in non-executable directories.
• Security Headers: Set X-Content-Type-Options: nosniff and Content-Disposition: attachment to prevent execution of uploaded scripts.
• Logging & Monitoring: Log all file uploads and monitor for suspicious patterns (e.g., PHP files in upload directories).
• Regular Audits: Conduct code reviews and penetration testing, especially for applications hosted on public platforms.

Reference & Learning Resources

For deeper understanding of these attack vectors, refer to:

• PortSwigger Web Security Academy – SQL Injection
• File Upload Security Guide
• Lab: Remote Code Execution via Web Shell Upload

These resources provide hands-on labs and real-world examples that help security professionals recognize and defend against similar vulnerabilities.

Conclusion

The Online ID Generator 1.0 vulnerability exemplifies how even simple, seemingly harmless applications can become critical security risks due to poor development practices. The combination of SQL injection and insecure file upload creates a direct path to remote code execution — a hallmark of high-risk vulnerabilities. This case underscores the importance of secure coding standards, input validation, and strict file handling policies in every web application, regardless of its complexity.