## https://sploitus.com/exploit?id=425B4914-7271-5B6C-9D59-DD3B80A8796E
# CVE-2025-49132 Proof of Concept (PoC)
This repository contains a Proof of Concept (PoC) for CVE-2025-49132, a critical vulnerability in Pterodactyl Panel versions [--os ] [--traversal-level ]
```
#Example of commands
```bash
python cve-2025-49132-poc.py test http://sub.domain.com
python cve-2025-49132-poc.py test http://domain.com
python cve-2025-49132-poc.py test http://sub.domain.com --os windows
python cve-2025-49132-poc.py test http://sub.domain.com --os linux --traversal-level 3
```
If the check fails, review the printed URL, status, and response. The response may be HTML if the endpoint is blocked or not vulnerable. Ensure the host is correct and reachable.
### Modes:
test: Check vulnerability.
exploit: Perform RCE (sleep 5 seconds as PoC).
dump: Dump credentials.
--os: linux (default) or windows
--traversal-level: Number of '../' (default 2 for config, 5 for RCE). Try 3 or 4 if default fails.
## OpSec Considerations
- RCE exploitation can be detected via logs: cat /var/www/pterodactyl/storage/logs/laravel-2025-*-*.log | grep 'Illuminate\\Translation\\FileLoader->load()'
- If access logs are enabled, look for locale=.. entries.
- Default config (without SSL) may not log credentials easily.
## Legal Disclaimer
This PoC is provided for educational purposes only or for use in authorized challenges such as CTFs (Capture The Flag) or penetration testing with explicit permission.
It is illegal to use this against any system without prior written consent from the owner. The author assumes no liability for any misuse of this code.
## Installation
Requires Python 3 and requests (install via pip install requests).
## License
MIT License. See LICENSE file.
## Contributing
Pull requests are welcome for improvements, but ensure they align with educational intent.