来源

关联漏洞

描述

Exploit for CVE-2025-10353. Unauthenticated File Upload on Melis Platform Framework that leads to RCE

介绍

# CVE-2025-10353 POC - File Upload RCE 🛠️

> POC for CVE-2025-10353: A file-upload vulnerability in the `melis-cms-slider` module of Melis Platform that can lead to remote code execution (RCE) when an attacker uploads a malicious file via the `mcsdetail_img` parameter to:
>
> ```
> /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm
> ```

![status](https://img.shields.io/badge/status-proof%20of%20concept-orange)
![request](https://img.shields.io/badge/request-raw%20HTTP-blue)

---

## 🔗 References

- 📄 [CVE-2025-10353 on MITRE](https://www.cve.org/CVERecord?id=CVE-2025-10353)
- 📄 [Melis Platform Warning on INCIBE (Spanish National Cybersecurity Institute)](https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-melis-platform) 
- 📄 PoC: `CVE-2025-10353-POC.txt` (raw HTTP request exported from Burp) — **do not publish publicly**.

---

## 🚀 Description

This PoC demonstrates a **file upload → RCE** chain in the `melis-cms-slider` module.
The vulnerable endpoint accepts multipart form uploads via the `mcsdetail_img` field but fails to properly validate, sanitize, or restrict the uploaded content.
Under certain configurations, the uploaded file is stored in a web-accessible directory where it can be executed, resulting in remote code execution.

Additionally, the parameter `mcsdetail_mcslider_id` controls which slider subdirectory the uploaded web shell will be placed in.
The application begins numbering slider directories from 1, so setting this parameter to 0 causes the file to be stored in a hidden directory that is not visible through the standard web interface.

**Impact includes:**
- Remote execution of arbitrary code on the web application host.
- Complete compromise of web application and potential lateral movement.
- Data exfiltration, tampering or destruction.

---

## 🛠️ Requirements
- Burp Suite (recommended) or equivalent HTTP proxy that supports raw request replay.  
- CLI tools for safe triage (`curl`, `wget`, `nc`) — only for authorized tests.  
- Access to the PoC file `CVE-2025-10353-POC.txt` (raw HTTP request exported from Burp).  
- Explicit written authorization to test the target system.

> **Important:** Do not run exploit or payloads against production/third-party systems. Use isolated testbeds or VM snapshots.

---

## 🧪 Usage

### Basic check (Burp Repeater)
1. Open Burp → Repeater.
2. Open `CVE-2025-10353-POC.txt`, copy the raw HTTP request.
3. Paste into a new Repeater tab, set the proper host and press **Send**.
4. Check response for route of the uploaded file.
5. Attempt to access the endpoint provided. Example:

```
http://vulnerable-host.com/media/sliders/0/shell.php
```
---

## ⚠️ Disclaimer

This document is for authorized security testing and remediation only. Do **not** use the PoC or reproduction steps against systems you do not own or do not have explicit permission to test. The author is not responsible for misuse.

---

Made with ❤️ by Manuel Iván San Martín Castillo

文件快照

 [4.0K]  /data/pocs/02a19fa732064b9089cc2e4dcc5165e6b8db9c58
├── [2.9K]  CVE-2025-10353-POC.txt
├── [1.0K]  LICENSE
└── [3.0K]  README.md

0 directories, 3 files

备注