漏洞平台

POC详情： 70c3558174e9e59ec280305714e2a0252d897be2

来源

https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228

关联漏洞

标题： Scriptcase 安全漏洞 (CVE-2025-47227)
描述：Scriptcase是Scriptcase公司的一种用于快速应用程序开发的低代码平台。 Scriptcase 9.12.006版本存在安全漏洞，该漏洞源于管理员密码重置机制处理不当，可能导致认证绕过。

描述

ScriptCase Pre-Authenticated Remote Command Execution exploitation script (CVE-2025-47227, CVE-2025-47228).

介绍

# ScriptCase - Pre-Authenticated Remote Command Execution

## Chaining administrator's password reset (authentication bypass, CVE-2025-47227) and shell injection (authenticated remote command execution, CVE-2025-47228)

Pre-authenticated remote command execution is achieved by chaining two vulnerabilities: the first is the ability to reset the administrator password of the prod console under certain conditions, and the second is a simple authenticated remote command execution in the connection features where user input is directly concatenated to a ssh system command.

## Requirements

The third-party Python dependencies used by the exploits can be installed with one of the following commands:

```bash
# pip - universal
pip3 install Pillow pytesseract requests beautifulsoup4

# pacman - Arch Linux
pacman -S python-pillow python-pytesseract python-requests python-beautifulsoup4
```

## Usage

An exploitation script was written to handle several scenarios:

- Perform the pre-authentication remote command execution by chaining the two vulnerabilities (password reset and authenticated command execution)
- Only perform the password reset
- Only perform authenticated command execution
- Detect the deployment path

```
Usage:
  Examples:

  Pre-Auth RCE (password reset + RCE)
    python exploit.py -u http://example.org/scriptcase -c "command"
  Password reset only (no auth)
    python exploit.py -u http://example.org/scriptcase
  RCE only (need account)
    python exploit.py -u http://example.org/scriptcase -c "command" -p 'Password123*'
  Detect deployment path
    python exploit.py -u http://example.org/ -d


Options:
  -h, --help            show this help message and exit
  -u BASE_URL, --base-url=BASE_URL
  -c COMMAND, --command=COMMAND
  -p PASSWORD, --password=PASSWORD
  -d, --detect
```

## Affected versions

Version 1.0.003-build-2 of the Production Environment module is affected. This version of the module is included in ScriptCase version 9.12.006 (23). Anterior versions are likely to be vulnerable as well.

## References

https://www.synacktiv.com/advisories/scriptcase-pre-authenticated-remote-command-execution

文件快照


 [4.0K]  /data/pocs/70c3558174e9e59ec280305714e2a0252d897be2
├── [ 13K]  exploit.py
└── [2.1K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。