Share
## https://sploitus.com/exploit?id=A71F4BF2-E95B-58C0-AA13-DA1EBECAF6E5
# CVE-2026-38751 โ€“ OpenSTAManager Arbitrary File Upload (PoC)

This repository contains a proof-of-concept (PoC) exploit for CVE-2026-38751, affecting OpenSTAManager โ‰ค 2.10.
The vulnerability allows an authenticated attacker to upload a malicious module via the module update functionality, leading to arbitrary file upload and remote code execution (RCE).

## CVE Reference
- MITRE CVE Entry (first disclosure record):
https://vulners.com/cve/CVE-2026-38751
- NVD (NIST) Vulnerability Database:
https://nvd.nist.gov/vuln/detail/CVE-2026-38751
- GitHub Advisory Database
https://github.com/advisories/GHSA-rm34-fg4m-39mw

## Affected Software
- OpenSTAManager โ‰ค 2.10
- Module update system (`modules/aggiornamenti/upload_modules.php`)

## Vulnerability Description
The module update functionality allows authenticated users to upload ZIP-based modules without proper validation of file contents or execution boundaries.
An attacker can craft a malicious module containing PHP payloads, which are then deployed into the web root and executed via the application context.
This results in:
- Arbitrary file upload (CWE-434)
- Remote code execution via uploaded PHP files
- Full compromise of the application context

## Attack Flow (High-Level)
1. Authenticate to OpenSTAManager
2. Upload crafted module ZIP archive
3. Trigger module installation/update process
4. Access uploaded PHP payload via web root
5. Execute arbitrary commands on the server

##Impact
Successful exploitation allows:
- Remote command execution
- Web server compromise
- Data exfiltration
- Full application takeover depending on privileges

## Requirements
- Valid authenticated user account
- Access to module update functionality enabled


## Usage (PoC)
1. Generate malicious module
```
python exploit.py --build
```
Creates:
```
update.zip
โ””โ”€โ”€ run/
    โ”œโ”€โ”€ MODULE
    โ””โ”€โ”€ evil.php
```
2. Run exploit
```
python exploit.py   
```
Optional reverse shell mode:
```
python exploit.py    --lhost  --lport 
```
Example Payload
``` php

```

## Verification
If successful, the following endpoint executes system commands:
`/modules/run/evil.php?cmd=id`

## MITRE / NVD References
- MITRE CVE Record:
https://vulners.com/cve/CVE-2026-38751
- NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2026-38751

## Disclaimer

This project is intended for:
- Educational purposes
- Authorized security testing
- Research environments

Do not use against systems without explicit permission.

Notes
>Detection may vary depending on server configuration.
>Some deployments may disable direct PHP execution in module directories.
>Timing of module activation may require retries.

Acknowledgements
- MITRE CVE Program
- NIST National Vulnerability Database (NVD)
- OpenSTAManager project maintainers
- https://github.com/fuutianyii/poc (First poc)