CVE-2025-34030 PoC — sar2html 安全漏洞

Source

https://github.com/HackerTyperAbuser/CVE-2025-34030-PoC

Associated Vulnerability

Title:sar2html 安全漏洞 (CVE-2025-34030)
Description:sar2html是cemtan个人开发者的一个图标生成软件。 sar2html 3.2.2及之前版本存在安全漏洞，该漏洞源于未清理plot参数，可能导致OS命令注入攻击。

Description

PoC for CVE-2025-34030 sar2html 'plot' parameter RCE

Readme

# CVE-2025-34030 - sar2html 'plot' parameter RCE

CVSS: <span style="color:rgb(192, 0, 0)">10.0 Critical</span><br>
Vulnerability: OS Command Injection<br>
Programming Language: PHP<br>
Exploit Code: Python <br>

References: 
- https://nvd.nist.gov/vuln/detail/CVE-2025-34030
- https://www.vulncheck.com/advisories/sar2html-command-injection

## Description
sar2html version <= 3.2.1 contains an unauthenticated OS Command Injection vulnerability via the plot parameter in index.php (`index.php?plot=; <command>`) the output of the vulnerability is displayed in the application's interface after execution, "select # host" contains command output.
<br>

## Proof of Concept
![Demo Video](img/CVE-2025-34030.gif)

File Snapshot


 [4.0K]  /data/pocs/799cc7717e52f1ff532c0edcdef861a277403115
├── [3.4K]  exploit.py
├── [4.0K]  img
│   └── [795K]  CVE-2025-34030.gif
├── [ 714]  README.md
└── [  32]  requirements.txt

1 directory, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!