Exploit for Alumni Management System 1.0 Shell Upload CVE-2020-28072

Name: Exploit for Alumni Management System 1.0 Shell Upload CVE-2020-28072
Rating: 5 (166 reviews)

2020-12-15 | CVSS -0.3

## https://sploitus.com/exploit?id=PACKETSTORM:160508
# Exploit Title: Remote Code Execution on Alumni Management System   
# Date: 23/10/2020  
# Exploit Author: Valerio Alessandroni  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-s ource-code.html  
# Version: 1.0  
# Tested on: ubuntu 18.04  
# CVE : CVE-2020-28072  
# Description:  
  
  
  
# Reproduction:  
  
- Log in the administration panel, through http://127.0.0.1/admin/index.php?page=gallery,   
- upload a malicious php file using the form in the page.  
- Executes command via the uploaded file http://127.0.0.1/admin/assets/uploads/gallery/[ID]_img.php  
- The [ID] is a variable progressive number, it can be found in the html source code in the same page