漏洞平台

POC详情： ea173826bd327fc1f6060f1b9580e875bb386dd5

来源

https://github.com/Joelp03/CVE-2025-49113

关联漏洞

标题： Roundcube Webmail 安全漏洞 (CVE-2025-49113)
描述：Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端，它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞，该漏洞源于未验证_from参数，可能导致PHP对象反序列化攻击。

介绍

# CVE-2025-49113 Roundcube Exploit

A Python exploit for CVE-2025-49113, targeting a vulnerability in Roundcube webmail that allows remote code execution through PHP object deserialization.

## Overview

This exploit leverages a deserialization vulnerability in Roundcube's file upload functionality. It uses a crafted GPG configuration payload to achieve remote code execution on the target server.

## Features

- Automatic authentication with Roundcube
- CSRF token extraction and handling
- Session management
- PHP object deserialization payload generation
- Remote command execution via GPG configuration injection

## Usage

```bash
python exploit.py -t <target_url> -u <username> -p <password> -c <command>
```

### Parameters

- `-t, --target`: Target Roundcube base URL (e.g., `http://example.com/roundcube`)
- `-u, --user`: Valid username for authentication
- `-p, --password`: Password for the specified user
- `-c, --command`: Shell command to execute on the target server

### Example

```bash
python exploit.py -t http://target.com/roundcube -u [email] -p [password] -c "whoami"
```

## How It Works

1. **Authentication**: Logs into Roundcube using provided credentials
2. **Session Management**: Extracts and manages session cookies
3. **Payload Generation**: Creates a serialized PHP object containing the malicious GPG configuration
4. **File Upload**: Uploads a crafted image file with the payload as filename
5. **Code Execution**: The deserialization triggers command execution through GPG configuration

## Technical Details

The exploit targets the `Crypt_GPG_Engine` class deserialization vulnerability by:
- Crafting a base64-encoded shell command
- Embedding it in a serialized PHP object
- Using the object as a filename during file upload
- Triggering deserialization during file processing

## Disclaimer

This tool is for educational and authorized security testing purposes only. Only use this exploit on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

## CVE Information

- **CVE ID**: CVE-2025-49113
- **Affected Software**: Roundcube Webmail
- **Vulnerability Type**: PHP Object Deserialization leading to RCE
- **Severity**: Critical

## License

This code is provided for educational purposes. Use responsibly and in accordance with applicable laws and regulations.

文件快照


 [4.0K]  /data/pocs/ea173826bd327fc1f6060f1b9580e875bb386dd5
├── [6.3K]  exploit.py
└── [2.3K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。