Grav

Grav CMS is a modern, file-based content management system that uses flat files instead of a traditional database. Designed with performance and simplicity in mind, Grav allows websites to be built and deployed quickly by relying on Markdown files for content, YAML for configuration, and the Twig templating engine for design. Its architecture enables easy portability, minimal server requirements, and streamlined version control through tools like Git. Grav’s modular structure also makes it suitable for customization and plugin development, while the lack of a database backend may present unique considerations for attack surface exploration during red team operations.

Unauthenticated RCE

Grav CMS versions before 1.7.3 are vulnerable to an unauthenticated arbitrary file write vulnerability (CVE-2021-21425) caused by improper input validation in the Admin plugin’s scheduler configuration. An attacker can abuse this flaw to inject a scheduled job containing arbitrary PHP code, which Grav writes to a web-accessible directory (e.g., /tmp/) as a .php file. This allows remote code execution by sending crafted POST requests that bypass authentication using a predictable or exposed admin-nonce.

The available PoC involves first retrieving the admin-nonce and session cookie from the /admin page, then issuing a job creation request with base64-encoded PHP code. Once written, the payload can be triggered via a browser or HTTP request to gain shell access or escalate further.

python3 exploit.py --url http://192.168.204.12/grav-admin