Ctrlk
Edit

Grav CMS

Grav CMS exposed with the Admin plugin can be identified from the /grav-admin/ path. Older vulnerable installs can be abused with CVE-2021-21425 for unauthenticated command execution.

Discovery

nmap -sC -sV TARGET
# 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu
# 80/tcp open  http    Apache httpd 2.4.41
# http-title: Index of /
# http-ls: grav-admin/

Confirm the Grav path directly:

curl http://TARGET/grav-admin/
nuclei -u http://TARGET/grav-admin -as -rl 8 -c 6
# [metatag-cms] http://TARGET/grav-admin/ ["GravCMS"]
# [tech-detect:grav-cms] http://TARGET/grav-admin/

Useful paths from content discovery:

/grav-admin/admin
/grav-admin/login
/grav-admin/home
/grav-admin/forgot_password
/grav-admin/user_profile
/grav-admin/typography
/grav-admin/admin/login
/grav-admin/admin/forgot

Username Enumeration

The password reset flow can reveal a valid admin user by returning different responses.

Reference: https://github.com/advisories/GHSA-q3qx-cp62-f6m7

CVE-2021-21425 Unauthenticated RCE

Use the CVE-2021-21425 PoC against the Grav root path:

Successful output drops into a webshell:

Post-Exploitation Enumeration

Grav stores user accounts in YAML files:

Useful fields from admin.yaml:

The password hash is bcrypt:

References

  • https://github.com/bluetoothStrawberry/cve-2021-21425

  • https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/

PreviousLiferayNextCodoforum

Last updated