关联漏洞
Description
An authenticated Remote Code Execution (RCE) vulnerability in laravel-file-manager v3.3.1 and below allows attackers with access to the file manager interface to execute arbitrary code on the server.
介绍
# CVE-2025-56399 – Authenticated Remote Code Execution in `laravel-file-manager` v3.3.1
## 🧭 Overview
An authenticated Remote Code Execution (RCE) vulnerability in laravel-file-manager v3.3.1 and below allows attackers with access to the file manager interface to execute arbitrary code on the server. By uploading a file with a permitted non-PHP extension (e.g., .png, .pdf) containing malicious PHP code and renaming it to a .php extension, or by directly creating and editing a .php file, attackers can achieve RCE when the file is accessed via a public URL.
## 🧱 Affected Component
- **Project:** `laravel-file-manager`
- **Component:** File upload / rename API
- **Affected version:** **v3.3.1 and below**
## 🎯 Attack Vectors
1. Authenticate with an account that has access to the file manager’s upload or create file functionality.
2. Upload a file (e.g., shell.png) containing malicious PHP code (e.g., <?php system($_GET['c']); ?>) via the file manager’s upload interface or API.
3. Use the rename API or interface to change the file extension from shell.png to shell.php.
4. Access the file at a public URL (e.g., https://server-ip-address/storage/shell.php?c=id) to execute the PHP payload.
5. Alternatively, use the "Create File" function to create a file (e.g., shell.php), then use the edit function to insert malicious PHP code and access it via a public URL.
## 💥 Impact
- Remote Code Execution (RCE): Attackers can execute arbitrary commands in the web server’s context.
- System Compromise: Depending on server configuration, this could lead to full compromise of the web application and host system.
- Critical Risk: High impact on confidentiality, integrity, and availability of the affected system.
## CVSS v3
### Base Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
#### Severity: High
## 🛡️ Recommended Remediation
- Implement server-side validation of file MIME types and magic bytes to ensure uploaded files match their extensions.
- Enforce a strict whitelist of allowed file extensions and reject executable extensions like .php.
- Restrict file renaming to prevent changing to executable extensions without additional validation.
- Disable script/PHP execution in upload directories.
> ## 🙏 Credits
> Discovered and reported by: **Chayawat Jeamprasertboon, Thanakorn Boontem, Theethat Thamwasin**
---
文件快照
[4.0K] /data/pocs/b4137a9ede14f33d533ba073ab08e1958f672bba
├── [4.0K] CVE-2025-56399
│ ├── [4.0K] images
│ │ ├── [173K] step10.png
│ │ ├── [140K] step11.png
│ │ ├── [179K] step12.png
│ │ ├── [517K] step13.png
│ │ ├── [129K] step14.png
│ │ ├── [187K] step15.png
│ │ ├── [189K] step16.png
│ │ ├── [545K] step17.png
│ │ ├── [ 40K] step1.png
│ │ ├── [ 53K] step2.png
│ │ ├── [122K] step3.png
│ │ ├── [165K] step4.png
│ │ ├── [158K] step5.png
│ │ ├── [141K] step6.png
│ │ ├── [157K] step7.png
│ │ ├── [165K] step8.png
│ │ └── [512K] step9.png
│ └── [4.6K] POC-CVE-2025-56399.md
└── [2.3K] README.md
3 directories, 19 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。