Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-49113 PoC — Roundcube Webmail 安全漏洞

Source
https://github.com/Joelp03/CVE-2025-49113
Associated Vulnerability
Title:Roundcube Webmail 安全漏洞 (CVE-2025-49113)
Description:Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Readme
# CVE-2025-49113 Roundcube Exploit

A Python exploit for CVE-2025-49113, targeting a vulnerability in Roundcube webmail that allows remote code execution through PHP object deserialization.

## Overview

This exploit leverages a deserialization vulnerability in Roundcube's file upload functionality. It uses a crafted GPG configuration payload to achieve remote code execution on the target server.

## Features

- Automatic authentication with Roundcube
- CSRF token extraction and handling
- Session management
- PHP object deserialization payload generation
- Remote command execution via GPG configuration injection

## Usage

```bash
python exploit.py -t <target_url> -u <username> -p <password> -c <command>
```

### Parameters

- `-t, --target`: Target Roundcube base URL (e.g., `http://example.com/roundcube`)
- `-u, --user`: Valid username for authentication
- `-p, --password`: Password for the specified user
- `-c, --command`: Shell command to execute on the target server

### Example

```bash
python exploit.py -t http://target.com/roundcube -u [email] -p [password] -c "whoami"
```

## How It Works

1. **Authentication**: Logs into Roundcube using provided credentials
2. **Session Management**: Extracts and manages session cookies
3. **Payload Generation**: Creates a serialized PHP object containing the malicious GPG configuration
4. **File Upload**: Uploads a crafted image file with the payload as filename
5. **Code Execution**: The deserialization triggers command execution through GPG configuration

## Technical Details

The exploit targets the `Crypt_GPG_Engine` class deserialization vulnerability by:
- Crafting a base64-encoded shell command
- Embedding it in a serialized PHP object
- Using the object as a filename during file upload
- Triggering deserialization during file processing

## Disclaimer

This tool is for educational and authorized security testing purposes only. Only use this exploit on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

## CVE Information

- **CVE ID**: CVE-2025-49113
- **Affected Software**: Roundcube Webmail
- **Vulnerability Type**: PHP Object Deserialization leading to RCE
- **Severity**: Critical

## License

This code is provided for educational purposes. Use responsibly and in accordance with applicable laws and regulations.
File Snapshot

 [4.0K]  /data/pocs/ea173826bd327fc1f6060f1b9580e875bb386dd5
├── [6.3K]  exploit.py
└── [2.3K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →