cbcvebase.
CVE-2021-42580
published 2021-11-15

CVE-2021-42580: Sourcecodester Online Learning System 2.0 is vunlerable to sql injection authentication bypass in admin login file (/admin/login.php) and authenticated file…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.98%
95.0th percentile
Sourcecodester Online Learning System 2.0 is vunlerable to sql injection authentication bypass in admin login file (/admin/login.php) and authenticated file upload in (Master.php) file , we can craft these two vunlerablities to get unauthenticated remote command execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
oretnom23online_learning_system

Detection & IOCsextracted from sources · hover to see the quote

path/admin/login.php
path/classes/Login.php?f=login
path/classes/Master.php?f=save_faculty
path/uploads/Favatar_
command' or 1=1 -- -
commandnikmok" . shell_exec($_REQUEST['cmd']) . ""?>
urlhttps://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip
  • Detect SQLi authentication bypass attempts targeting the login endpoint: POST requests to /classes/Login.php?f=login with username or password fields containing the pattern `' or 1=1 -- -`.
  • Detect PHP webshell upload via POST to /classes/Master.php?f=save_faculty with a multipart file upload containing a `.php` extension in the `img` field.
  • Detect webshell execution attempts: GET requests to /uploads/Favatar_<integer>.php with a `cmd` query parameter (e.g., ?cmd=whoami). The response body will contain the string `nikmok` if the shell is present.
  • Alert on the presence of files matching the pattern `Favatar_*.php` in the /uploads/ directory, as the exploit brute-forces a numeric suffix to locate the dropped webshell.
  • The exploit chains unauthenticated SQLi bypass with authenticated file upload to achieve RCE — correlate a login event from /classes/Login.php immediately followed by a POST to /classes/Master.php?f=save_faculty as a high-confidence attack sequence.
  • The webshell payload uses `shell_exec($_REQUEST['cmd'])` and embeds the canary string `nikmok` in its output — scan uploaded files and HTTP responses for this string as a webshell indicator.
  • ·The exploit was tested on both Kali Linux and Windows 10, indicating the attack tooling is cross-platform and not OS-specific.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.