Skip to content

jnx23/CVE-2025-XXXX

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

2 Commits
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
README_SCANNER.md
README_SCANNER.md
Β 
Β 
exploit.py
exploit.py
Β 
Β 
scanner.py
scanner.py
Β 
Β 

Repository files navigation

CVE-2025-XXXX: CloudPanel FastCGI PHP-FPM Privilege Escalation Exploit

Status Python License

πŸ“Œ Description

This proof-of-concept (PoC) exploit targets a privilege escalation vulnerability in CloudPanel environments where the clp user has NOPASSWD sudo access, and FastCGI (PHP-FPM) is misconfigured or exposed locally.

By leveraging insecure FastCGI access and the ability to execute PHP scripts, this exploit executes arbitrary commands as root, either directly or by spawning a privileged root shell.

⚠️ This tool is intended strictly for educational and authorized penetration testing. Do not use it on systems you do not own or have explicit permission to test.

✨ Features

  • πŸ”§ Run arbitrary system commands as root via PHP-FPM.
  • 🐚 Spawn a pseudo-interactive root shell using a setuid copy of bash.
  • πŸ” Automatically cleans up temporary files.
  • βœ… Minimal dependencies (pure Python3).

πŸ“œ Technical Overview

The exploit works as follows:

  1. A malicious PHP file is written to /tmp/.cmd.php containing:

    <?= `sudo sh -c "{cmd}"`; ?>

  2. A FastCGI request is sent to a locally exposed PHP-FPM service on 127.0.0.1:{PORT}.

  3. If the PHP-FPM process runs as a user with NOPASSWD sudo (e.g., clp), the command runs as root.

  4. Optionally, the exploit can:

    • Copy /bin/bash to a temp location.
    • Set the setuid bit.
    • Spawn an interactive shell as UID 0.

βš™οΈ Usage

πŸ”Ή Run a command as root

python3 exploit.py --cmd 'id'

πŸ”Ή Spawn an interactive root shell

python3 exploit.py --interactive

Requires: Python3, /bin/bash, and a real TTY.

πŸ§ͺ Examples

python3 exploit.py --cmd 'cat /etc/shadow'
python3 exploit.py --cmd 'whoami'
python3 exploit.py --interactive

Optional Arguments:

Flag Description Default
--host Target host address 127.0.0.1
--port Target FastCGI port 8787

πŸ“ File Structure

File Description
exploit.py Main exploit script
/tmp/.cmd.php Temporary malicious PHP file (auto-cleaned)
/tmp/.priv Setuid copy of bash (if using --interactive)

πŸ”’ Requirements

  • Python 3.x
  • Local access to a system where:
    • PHP-FPM is accessible on a local port.
    • The FPM process runs as a user with passwordless sudo access.
    • Writable /tmp directory.

πŸ‘€ Author

πŸ“œ Disclaimer

This tool is provided for educational and research purposes only.
Do not use this on systems you do not own or have explicit permission to test.
The author is not responsible for any misuse or damage caused.

πŸͺͺ License

This project is licensed under the MIT License.

About

🚨 FastCGI PHP-FPM local privilege escalation exploit targeting CloudPanel environments where PHP-FPM runs as a user (e.g. clp) with passwordless sudo access. Gain root by executing PHP via FastCGI.

Topics

security poc fastcgi privilege-escalation cloudpanel cve-2025

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1

Languages