POC详情: 60a347ea7ca27181c3e6f0048ab0babb40f57aae

来源
https://github.com/0xtensho/CVE-2025-49132-poc
关联漏洞
标题: Pterodactyl Panel 代码注入漏洞 (CVE-2025-49132)
描述:Pterodactyl Panel是Pterodactyl开源的一个免费的开源游戏服务器管理面板。 Pterodactyl Panel 1.11.11之前版本存在代码注入漏洞,该漏洞源于/locales/locale.json端点未验证locale和namespace参数,可能导致任意代码执行。
介绍

# CVE-2025-49132-poc

I made this poc for [CVE-2025-49132](https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843), as it was interesting to make and it's part of a challenge over at my cyber platform [deepreview](https://deepreview.app) !

This is all explained in a blog post I made and in the challenge over at the website !

This CVE takes advantage of a file inclusion vulnerability that can be escalated to a Remote Code Execution with the `pearcmd.php` script.

Usage :
```shell
python3 poc.py 127.0.0.1 'touch /tmp/omgitworks'
```

If it works correctly you should see an internal server error in the response.
文件快照

 [4.0K]  /data/pocs/60a347ea7ca27181c3e6f0048ab0babb40f57aae
├── [ 483]  poc.py
└── [ 642]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。