{"id":29133345,"url":"https://github.com/superswan/heimshell","last_synced_at":"2025-08-23T10:13:10.565Z","repository":{"id":301451024,"uuid":"1009301386","full_name":"superswan/HeimShell","owner":"superswan","description":"CVE-2023-5180 LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the \"\u003c?php ?\u003e\" substring.","archived":false,"fork":false,"pushed_at":"2025-06-26T23:05:52.000Z","size":4,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-27T00:28:36.010Z","etag":null,"topics":["exploit","security","webapp"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/superswan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-26T23:00:53.000Z","updated_at":"2025-06-26T23:05:55.000Z","dependencies_parsed_at":"2025-06-27T00:28:38.238Z","dependency_job_id":"93020127-c79f-46cd-b54a-9a54b359c7e0","html_url":"https://github.com/superswan/HeimShell","commit_stats":null,"previous_names":["superswan/heimshell"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/superswan/HeimShell","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/superswan%2FHeimShell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/superswan%2FHeimShell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/superswan%2FHeimShell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/superswan%2FHeimShell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/superswan","download_url":"https://codeload.github.com/superswan/HeimShell/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/superswan%2FHeimShell/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271746559,"owners_count":24813570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-23T02:00:09.327Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","security","webapp"],"created_at":"2025-06-30T07:03:29.035Z","updated_at":"2025-08-23T10:13:10.526Z","avatar_url":"https://github.com/superswan.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HeimShell (CVE-2023-51803)\n\n**HeimShell** is an exploit for CVE-2023-51803, leveraging an arbitrary file-upload vulnerability in LinuxServer.io Heimdall (≤ 2.5.6). It will auto-detect the target version and either  warn of exploitability or remote fetch a php shell defined by `SHELL_URL` \n\n- **≤ 2.2.2**: Aribtrary file upload is possible but files are served statically and URLs are not remotely fetched\n- **≥ 2.2.3 \u0026 ≤ 2.5.6**: remote-fetch PHP shell via icon URL upload  \n\n\n---\n\n* **Version Check:** Retrieves `/settings` and parses the Version field to ensure arbitrary upload capability exists.\n* **CSRF Token Retrieval:** Loads `/items/create` and scrapes the hidden `_token` input.\n* **Shell Deployment:** For versions ≥ 2.2.3, it uses the icon parameter pointing to a remote PHP shell URL on a webserver\n* **Item Enumeration:** Scrapes the item list (`/items`) to find the dashboard entry matching the random tag.\n* **Shell URL Extraction:** Checks edit page (`/items/\u003cid\u003e/edit`), finds `icon` or `#appimage img` element, and prints shell URL.\n\n```\npython heimShell.py \u003cbase_url\u003e\ndetected version: 2.4.13\n☠  shell uploaded at: \u003cbase_url\u003e/storage/icons/abc123DEF456.php\n```\n\n## References\n[https://nvd.nist.gov/vuln/detail/CVE-2023-51803](https://nvd.nist.gov/vuln/detail/CVE-2023-51803)\n\n[https://rz.my/2024/06/cve-2023-51803-arbitrary-file-upload-in-linuxserverio-heimdall.html](https://rz.my/2024/06/cve-2023-51803-arbitrary-file-upload-in-linuxserverio-heimdall.html)\n\n\n\n## Disclaimer\n\nThis tool is for authorized security testing only. Unauthorized use against systems you do not own or have explicit permission to test is illegal and unethical.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsuperswan%2Fheimshell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsuperswan%2Fheimshell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsuperswan%2Fheimshell/lists"}