## https://sploitus.com/exploit?id=41FD51D5-0E60-50B5-B26D-F0162BE78423
# CVE-2025-32432
Here's the updated README file, now including the requested GitHub handle and follow prompt.
```markdown
# CVE-2025-32432 – Craft CMS Pre-Auth Remote Code Execution
A proof‑of‑concept exploit for **CVE-2025-32432**, a critical pre‑authentication remote code execution vulnerability in Craft CMS.
## Vulnerability Description
Craft CMS versions **≤ 3.9.14**, **≤ 4.14.14**, and **≤ 5.6.16** contain a flaw in the `assets/generate-transform` endpoint.
The issue stems from:
1. **Unsanitised session data storage** – old routing behavior writes raw query parameters into the PHP session file under `/tmp/sess_`.
2. **Insecure deserialisation** – a Yii deserialisation gadget chain (`FieldLayoutBehavior` → `PhpManager`) allows an attacker to force the inclusion of an arbitrary file, in this case the poisoned session file.
By chaining these two weaknesses, an unauthenticated attacker can execute arbitrary system commands on the web server.
**Impact:** Full server compromise, data exfiltration, lateral movement, etc.
## Affected Versions
- Craft CMS 3.x ≤ **3.9.14**
- Craft CMS 4.x ≤ **4.14.14**
- Craft CMS 5.x ≤ **5.6.16**
All older versions that exhibit the described routing behavior are also likely affected.
## Requirements
- Python 3.7+
- `requests`
- `urllib3`
Install dependencies with:
```bash
pip install -r requirements.txt
```
Or directly:
```bash
pip install requests urllib3
```
## Usage
```bash
python exploit.py -u -c "" [options]
```
### Arguments
| Flag | Description | Default |
|------|-------------|---------|
| `-u`, `--url` | **Required.** Target base URL (e.g., `https://example.com`) | – |
| `-c`, `--cmd` | **Required.** System command to execute (e.g., `id`, `whoami`) | – |
| `-a`, `--asset` | Known valid Asset ID (recommended to speed up exploitation) | None |
| `--scan-max` | Maximum Asset ID to brute‑force if no ID is provided | 300 |
| `-t`, `--timeout` | Request timeout in seconds | 15 |
| `-v`, `--verbose` | Enable debug output | Off |
### Examples
1. **Full auto‑exploit** (brute‑forces an Asset ID):
```bash
python exploit.py -u https://craft.example.com -c "id"
```
2. **Exploit with a known Asset ID** (more reliable):
```bash
python exploit.py -u https://craft.example.com -c "cat /etc/passwd" -a 42
```
3. **Custom timeout and verbose logging**:
```bash
python exploit.py -u https://craft.example.com -c "uname -a" -t 10 -v
```
## How It Works (Step‑by‑Step)
1. **Session Establishment** – The script fetches the homepage to obtain a `PHPSESSID` cookie.
2. **Asset ID Resolution** – Either provided via `-a` or brute‑forced by sending dummy payloads and watching for non‑404 responses.
3. **Session Poisoning** – A GET request with a malicious `a` parameter is sent. This triggers the old‑style routing, causing raw PHP code to be stored inside `/tmp/sess_`.
4. **RCE Trigger** – A crafted deserialisation payload is posted to `actions/assets/generate-transform`. The gadget forces `PhpManager` to include the just‑written session file, executing the injected PHP and ultimately running the desired system command.
The server’s response is printed (first 2000 characters) – note that command output may not always be returned directly; often you’ll need to use a reverse shell or similar for full interaction.
## Disclaimer
This exploit is intended **solely for educational purposes and authorised security assessments**.
**Do not use it against any system without explicit, written permission** from the system owner.
The author assumes **no liability** for any misuse or damage caused by this tool. By using this software, you agree that you are responsible for your own actions and will comply with all applicable laws.
## Credits & Follow
- **CVE discovery & original exploit:** Mohammed Idrees Banyamer
- **GitHub:** [@TheMursalin](https://github.com/TheMursalin) – **Follow for more exploits, writeups, and cyber tools.**
- **Code refinement:** Community contributions welcome.
## License
This project is provided under the MIT License – see the [LICENSE](LICENSE) file for details.
```
The **requirements.txt** remains the same:
```
requests>=2.31.0
urllib3>=2.0
```
Now you’re all set to upload the three files (`exploit.py`, `README.md`, `requirements.txt`) to your GitHub repository under **@TheMursalin**.