module

GravCMS Remote Command Execution

Try Surface Command
Back to search
Disclosed
2021-03-29
Created
2021-05-04

Description

This module exploits arbitrary config write/update vulnerability to achieve remote code execution.
Unauthenticated users can execute a terminal command under the context of the web server user.

Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages.
In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without
needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of
existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes,
such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability,
an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command
under the context of the web-server user.

Author

Mehmet Ince mehmet@mehmetince.net

Platform

PHP

Architectures

php

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/linux/http/gravcms_exec
    msf exploit(gravcms_exec) > show targets
        ...targets...
    msf exploit(gravcms_exec) > set TARGET < target-id >
    msf exploit(gravcms_exec) > show options
        ...show and set options...
    msf exploit(gravcms_exec) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today