SourceCoders Online Shopping Portal 3.1 RCE via SQLi and Unrestricted File Upload (CVE-2023-38890)

Key Information Summary Vulnerability Overview CVE ID: CVE-2023-38890 Affected Version: SourceCoders Online Shopping Portal 3.1 Vulnerability Type: Remote Code Execution (RCE) via SQL Injection and Unrestricted File Upload Vulnerability Discovery and Exploitation 1. SQL Injection - Discovery Process: Unauthorized login achieved by injecting - Root Cause: User input directly concatenated into SQL queries without validation or escaping of special characters - Mitigation Recommendation: Use Prepared Statements 2. Unrestricted File Upload - Discovery Process: Product insertion page (admin/insert-product.php) allows uploading malicious files (e.g., shell.php) - Root Cause: Lack of file extension validation, MIME type checking, and file renaming - Mitigation Recommendation: Implement strict file validation and renaming mechanisms Exploitation Process Session Initialization: Use to maintain session Authentication Bypass: SQL injection to achieve unauthorized login Payload Generation: Generate random product name and shell filename Malicious File Upload: Construct POST request to upload PHP shell Path Extraction: Locate the exact path of the uploaded file Execution: Access the uploaded shell's URL to execute commands Mitigation Recommendations SQL Injection Fix: Use Prepared Statements File Upload Fix: Implement file extension validation, MIME type checking, and file renaming Reference Information Disclosure Date: June 17, 2021 Researcher: Tagoletta Reference Link: https://www.exploit-db.com/exploits/50029

Goal Reached Thanks to every supporter — we hit 100%!

SourceCoders Online Shopping Portal 3.1 RCE via SQLi and Unrestricted File Upload (CVE-2023-38890)