Share
## https://sploitus.com/exploit?id=AE318397-5FDA-5F2F-99D1-7D743A9A9143
# CVE-2025-10353 - File Upload RCE PoC πŸ› οΈ

> Exploit for CVE-2025-10353: A file-upload vulnerability in the `melis-cms-slider` module of Melis Platform that can lead to remote code execution (RCE) when an attacker uploads a malicious file via the `mcsdetail_img` parameter to:
>
> ```
> /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm
> ```

![status](https://img.shields.io/badge/status-proof%20of%20concept-orange)
![request](https://img.shields.io/badge/request-raw%20HTTP-blue)

---

## πŸ”— References

- πŸ“„ Vendor advisory / internal ticket (attach when available)
- πŸ“„ [Melis Platform Warning on INCIBE (Spanish National Cybersecurity Institute)](https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-melis-platform) 
- πŸ“„ PoC: `CVE-2025-10353.txt` (raw HTTP request exported from Burp) β€” **do not publish publicly**.

---

## πŸš€ Description

This PoC demonstrates a **file upload β†’ RCE** chain in the `melis-cms-slider` module.
The vulnerable endpoint accepts multipart form uploads via the `mcsdetail_img` field but fails to properly validate, sanitize, or restrict the uploaded content.
Under certain configurations, the uploaded file is stored in a web-accessible directory where it can be executed, resulting in remote code execution.

Additionally, the parameter `mcsdetail_mcslider_id` controls which slider subdirectory the uploaded web shell will be placed in.
The application begins numbering slider directories from 1, so setting this parameter to 0 causes the file to be stored in a hidden directory that is not visible through the standard web interface.

**Impact includes:**
- Remote execution of arbitrary code on the web application host.
- Complete compromise of web application and potential lateral movement.
- Data exfiltration, tampering or destruction.

---

## πŸ› οΈ Requirements
- Burp Suite (recommended) or equivalent HTTP proxy that supports raw request replay.  
- CLI tools for safe triage (`curl`, `wget`, `nc`) β€” only for authorized tests.  
- Access to the PoC file `CVE-2025-10353.txt` (raw HTTP request exported from Burp).  
- Explicit written authorization to test the target system.

> **Important:** Do not run exploit or payloads against production/third-party systems. Use isolated testbeds or VM snapshots.

---

## πŸ§ͺ Usage

### Basic check (Burp Repeater)
1. Open Burp β†’ Repeater.
2. Open `CVE-2025-10353.txt`, copy the raw HTTP request.
3. Paste into a new Repeater tab, set the proper host and press **Send**.
4. Check response for route of the uploaded file.
5. Attempt to access the endpoint provided. Example:

```
http://vulnerable-host.com/media/sliders/0/shell.php
```
---

## ⚠️ Disclaimer

This document is for authorized security testing and remediation only. Do **not** use the PoC or reproduction steps against systems you do not own or do not have explicit permission to test. The author is not responsible for misuse.

---

Made with ❀️ by Manuel IvÑn San Martín Castillo