Pre-auth RCE in Craft CMS asset transform generation

Small standalone Python exploit repository for CVE-2025-32432 targeting Craft CMS. The repo contains one main code file (exploit.py), a detailed README, requirements.txt, and license metadata. The exploit is not framework-based. Core capability: unauthenticated RCE against vulnerable Craft CMS by abusing the anonymous /actions/assets/generate-transform endpoint. The script obtains a CSRF token from /actions/users/session-info, poisons a server-side file (default nginx access.log) by sending PHP in the User-Agent header, then POSTs crafted handle[...] parameters so Craft/Yii instantiates yii\rbac\PhpManager with itemFile pointing to the poisoned file. Because PhpManager ultimately require()s itemFile, the injected PHP executes on the server. Operational flow in exploit.py: initialize a requests session with TLS verification disabled; optionally perform a lab-specific PATCH /login to obtain a coopsess cookie; fetch CSRF token; poison the log via GET /; trigger the vulnerable endpoint via POST /actions/assets/generate-transform; parse returned output; and optionally support reverse-shell execution with a locally spawned nc/ncat listener. The README also documents alternate itemFile paths and a more persistent header-driven PHP webshell concept. Notable targeting details: requires a reachable Craft CMS instance, a valid assetId, and a writable/parsable sink such as /var/log/nginx/access.log. The README states affected versions as Craft CMS <= 5.6.16, <= 4.15.2, <= 3.9.14, and Yii2 <= 2.0.49, with fixes in Craft 5.6.17+ and Yii2 2.0.50. Overall, this is a real operational PoC with built-in command execution and reverse-shell support rather than a mere detector.

This repository is a small standalone Python exploit for CVE-2025-32432, a pre-authentication remote code execution vulnerability in Craft CMS. It contains two files: a README describing the vulnerability, affected versions, and usage, and exploit.py, the actual exploit implementation. No external framework such as Metasploit or Nuclei is used. The exploit is operational and performs a full attack chain against a remote Craft CMS target. First, it establishes a session by requesting /index.php and extracting the PHPSESSID cookie. Second, if the operator does not provide a known asset ID, it brute-forces one by POSTing crafted JSON to /actions/assets/generate-transform and treating any non-404 response as a likely valid assetId. Third, it poisons the PHP session by sending a GET request to /index.php with query parameters including attacker-controlled PHP code in parameter a, relying on the vulnerable routing/session behavior to write raw input into /tmp/sess_<PHPSESSID>. Finally, it triggers deserialization by POSTing another crafted JSON object to /actions/assets/generate-transform, abusing the craft\\behaviors\\FieldLayoutBehavior -> yii\\rbac\\PhpManager gadget chain so itemFile points to the poisoned session file. When included, the injected PHP executes system('<command>'). Main exploit capabilities: unauthenticated remote command execution, optional asset ID brute-forcing, session establishment and cookie harvesting, session poisoning, and retrieval/display of server response content. The payload is basic but functional: arbitrary shell command execution through PHP's system() call. The script supports operator-supplied target URL, command, optional asset ID, brute-force range, timeout, and verbose logging. Fingerprintable targets and artifacts in code include the Craft CMS routes /index.php and /actions/assets/generate-transform, the PHP session cookie PHPSESSID, and the local server file path /tmp/sess_<PHPSESSID>. The exploit specifically targets Craft CMS versions 3.9.14 and earlier, 4.14.14 and earlier, and 5.6.16 and earlier, as stated in the repository.

This repository contains a fully functional exploit for CVE-2025-32432, a critical pre-authentication remote code execution (RCE) vulnerability in Craft CMS versions 3.x, 4.x, and 5.x prior to their respective patched releases. The exploit is implemented in Python (CVE-2025-32432.py) and automates the attack by first extracting a CSRF token from the admin dashboard, then sending a specially crafted JSON payload to the /index.php?p=admin/actions/assets/generate-transform endpoint. This payload leverages PHP object deserialization to execute arbitrary PHP code (demonstrated with phpinfo). The script supports both single and multiple target modes, uses threading for efficiency, and writes results to a file. The README.md provides detailed vulnerability, exploitation, and mitigation information. The exploit is operational and can be used to verify and demonstrate RCE on vulnerable Craft CMS instances.

This repository provides a comprehensive and operational exploit toolkit for CVE-2025-32432, a critical remote code execution (RCE) and information disclosure vulnerability in CraftCMS. The main exploit script (CVE-2025-32432.py) implements multiple session injection techniques by abusing the 'returnUrl' and 'a' parameters on various admin endpoints to inject PHP code into the session file. It then discovers a valid asset ID and crafts JSON payloads to trigger either information disclosure (via GuzzleHttp\Psr7\FnStream and phpinfo()) or RCE (via yii\rbac\PhpManager loading the session file). The exploit is highly automated, with robust output parsing, error handling, and debug options. An additional script (automated_testing.py) enables concurrent testing of multiple targets and saves results in JSON format. The repository includes detailed documentation (README.md, USAGE.md, exploit_summary.md) outlining usage, technical details, and mitigation advice. The exploit targets CraftCMS versions prior to 3.9.15, 4.14.15, and 5.6.17, and requires the ability to write and read PHP session files on the server. The attack vector is network-based, targeting exposed CraftCMS admin endpoints. Key fingerprintable endpoints include various admin URLs and the PHP session file path. The exploit is not a framework module but is mature and operational, providing both RCE and information disclosure capabilities.

This repository provides two Python scripts for exploiting CVE-2025-32432, a pre-authentication remote code execution vulnerability in CraftCMS versions 3.x, 4.x, and 5.x. The exploit leverages a two-step attack chain: first, it injects arbitrary PHP code into a session file via a GET request to the admin dashboard endpoint; second, it uses a POST request to the asset-transform endpoint with a crafted deserialization gadget to require and execute the session file, resulting in arbitrary command execution. The main script, 'craftcms_final_payload.py', automates this process, including brute-forcing the required assetId if not provided. The secondary script, 'craftcms_rce_php_check.py', is a low-impact probe that checks for exploitability by attempting to execute phpinfo(). The repository is well-documented, includes installation and usage instructions, and targets unauthenticated attackers over HTTP/HTTPS. The exploit is operational, providing a working payload for arbitrary shell command execution on vulnerable CraftCMS instances.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-32432, a pre-authentication remote code execution (RCE) vulnerability in CraftCMS versions 4.x and 5.x. The exploit is implemented in a single Python script, 'craftcms_rce.py', which automates the process of detecting and exploiting the vulnerability. The script works by first retrieving a CSRF token from the CraftCMS admin dashboard, then sending a specially crafted JSON payload to the asset transform generation endpoint. This payload leverages PHP object injection to trigger code execution via the 'GuzzleHttp\Psr7\FnStream' class, with the default action being execution of 'phpinfo()' to verify exploitation. The script supports both single and multiple target modes, multi-threaded scanning, and outputs results to both the console and a CSV file ('vulnerable.txt'). The exploit extracts and reports sensitive information such as the database name and home directory from the target upon successful exploitation. The repository is well-documented, with a detailed README explaining usage, technical details, and output format. No hardcoded IPs or domains are present; the script takes user-supplied targets as input.