## https://sploitus.com/exploit?id=4B162A30-D9DE-5AAB-B847-42EB06EB3FDB
# CVE-2025-2945 β pgAdmin4 Authenticated RCE (PoC)
This repository contains a **proof-of-concept script** created for security research and authorized penetration testing involving the vulnerability **CVE-2025-2945**, affecting certain versions of **pgAdmin4**.
The issue allows an authenticated pgAdmin user with access to the SQL Editor to trigger remote code execution by abusing the Query Tool panel initialization flow. This PoC demonstrates the vulnerability for **educational, auditing, and defensive purposes only**.
---
## β οΈ Legal & Ethical Notice
This tool is intended **ONLY** for:
* Security researchers
* Red Team operators with prior written authorization
* System administrators validating their own infrastructure
* Educational analysis of vulnerable flows
**Do NOT use this tool on any system without explicit permission.
Unauthorized use is illegal and unethical.
The author is not responsible for misuse.**
---
## βοΈ Features
* Automatically checks vulnerable pgAdmin4 version (8.10 β 9.1)
* Authenticates to pgAdmin4 and retrieves CSRF tokens
* Detects a valid server ID
* Initializes the SQL editor correctly (required for exploit chain)
* Sends a payload through the Query Tool downloader endpoint
* Supports custom database credentials
* Supports custom listener IP/port (reverse shell payload)
---
## π§ Technical Summary
The vulnerability stems from logic flaws in the SQL Editor initialization endpoints. When interacting with `/sqleditor/initialize/` and `/sqleditor/panel/`, the application mishandles user-controlled data, ultimately allowing crafted payloads to execute arbitrary backend commands.
The PoC exploits the following endpoint sequence:
1. **Authentication & CSRF retrieval**
2. **Server connection lookup**
3. **SQL Editor initialization**
4. **Panel registration**
5. **Payload delivery through the Query Tool download API**
---
## π¦ Requirements
* Python 3.x
* `requests` library
* Valid pgAdmin credentials
* Valid database credentials
* A controlled listener (e.g., Netcat) for tests in approved environments
---
## π Usage
### Basic syntax
```
python3 poc.py \
--target-url \
--username \
--password \
--db-user \
--db-pass \
--db-name \
--Rhost \
--Rport
```
*(A full example is already provided in the scriptβs help section.)*
---
## π File Structure
```
poc.py β The exploit proof-of-concept
README.md β Project documentation
```
---
## π‘ Mitigation
Admins should:
* Update pgAdmin4 to a patched version once available
* Limit SQL Editor access to trusted admin accounts
* Enforce MFA and strong passwords
* Restrict pgAdmin network exposure
* Monitor for suspicious SQL Editor requests
---
## β¨ Credits
**Author:** UdayVeer
* X: [https://x.com/udaypro2008](https://x.com/udaypro2008)
* GitHub: [https://github.com/ExtremeUday](https://github.com/ExtremeUday)
* LinkedIn: [https://www.linkedin.com/in/uday-veer-8002a5360/](https://www.linkedin.com/in/uday-veer-8002a5360/)
* HackTheBox: ExtremeUday2
---