VTENEXT 25.02 – a three-way path to RCE

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/
• Blog Title: VTENEXT 25.02 – a three-way path to RCE
• Suggested Section: Generic Hacking -> Web Exploitation (new): CSRF method tampering, XSS-to-session hijack, column/tablename SQLi with subqueries, LFI->RCE via pearcmd.php

🎯 Content Summary

VTENEXT CRM (vtenext) – 25.02 and below

Tested on: 20.04, 24.02, 25.02, 25.02.1

Severity: Critical
Impact: Authentication bypass → Account takeover → RCE

Patch status (as of late July–August 2025)

Version 25.02.1 (released ~July 24, 2025) silently patched the pre‑auth arbitrary password reset (Vector #3). The XSS-driven chains (Vectors #1–#2), the SQLi, and LFIs remain exploitable per the author’s tests; ...

🔧 Technical Details

Convert POST-only XSS to GET XSS by abusing CSRF checks: If CSRF validation runs only for POST (e.g., if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true;), reissue the same request as GET without a token. When the endpoint reflects unescaped input and replies as text/html, script execution occurs without CSRF.

Steal HttpOnly sessions via server-side disclosure endpoints: When an internal page (e.g., a mobile/touch endpoint) prints the session ...

🤖 Agent Actions

Updates implemented. Summary of actions and rationale:

What I added from the blog (techniques abstracted and integrated into existing HackTricks pages):

• CSRF method tampering: Converted POST-only actions to GET when CSRF validation checks only POST.
• XSS-to-session hijack via server-side session ID disclosure endpoints (bypassing HttpOnly): Use XSS to fetch a URL that leaks the session value inside the HTML and exfiltrate it.
• SQL Injection: Column/tablename injection in the SELECT list using subqueries to exfiltrate sensitive values (e.g., password reset tokens).
• Reset password logic flaw: Arbitrary pre-auth password reset due to skipOldPwdCheck=true in the change_password path.
• LFI to RCE via pearcmd.php gadget: Reinforced with additional references; note the technique applies e...

✅ Review Checklist

• Content is technically accurate
• Formatting follows HackTricks style guidelines
• Links and references are working
• Content adds educational value
• No sensitive information is exposed

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 871
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking -> Web Exploitation (new): CSRF method tampering, XSS-to-session hijack, column/tablename SQLi with subqueries, LFI->RCE via pearcmd.php".

Repository Maintenance:

• MD Files Formatting: 871 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge