Add gravcms module

modules/vulnerabilities/unix/webapp/gravcms/gravcms.pp

@@ -0,0 +1 @@
+include gravcms::install

modules/vulnerabilities/unix/webapp/gravcms/manifests/install.pp

@@ -0,0 +1,46 @@
+class gravcms::install {
+  ensure_packages(['apache2', 'php', 'libapache2-mod-php', 'php-mbstring', 'php-curl', 'php-dom', 'php-xml', 'php-zip', 'php-gd'])
+
+  Exec {path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
+    environment => ['http_proxy=http://172.22.0.51:3128',
+      'https_proxy=http://172.22.0.51:3128',
+      'ftp_proxy=http://172.22.0.51:3128'] }
+
+  exec {'enable-mod-rewrite':
+    command => 'sudo a2enmod rewrite',
+  } ->
+  file {'/var/www/html':
+    ensure => directory,
+    owner => 'www-data',
+  } ->
+  file {'/var/www/html/grav_admin.zip':
+    source => 'puppet:///modules/gravcms/grav-admin.zip',
+    owner => 'www-data',
+    group => 'www-data',
+  } ->
+  exec {'extract-grav-cmd':
+    command => 'unzip -x grav_admin.zip; rm grav_admin.zip',
+    cwd => '/var/www/html/',
+    user => 'www-data',
+    creates => '/var/www/html/grav-admin',
+  } ->
+  exec {'enable-htaccess':
+    command => 'sed -i "/<Directory \/var\/www\/>/,/<\/Directory>/ s/AllowOverride None/AllowOverride all/" /etc/apache2/apache2.conf',
+  } ->
+  exec {'enable-web-server':
+    command => 'systemctl enable apache2',
+  } ->
+  exec {'restart-web-server':
+    command => 'systemctl restart apache2',
+  }
+
+  $leaked_filenames = ["flag1"]
+  $strings_to_leak = ["we_love_the_insecure_cms_we_do"]
+
+  ::secgen_functions::leak_files { 'gravcms':
+    storage_directory => "/var/www/html/grav-admin",
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    leaked_from       => 'gravcms',
+  }
+}

modules/vulnerabilities/unix/webapp/gravcms/secgen_metadata.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://github.com/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://github.com/cliffe/SecGen/vulnerability">
+
+  <name>GravCMS</name>
+  <author>Harry J. Hall</author>
+  <module_license>MIT</module_license>
+  <description>This module exploits arbitrary config write/update vulnerability to achieve remote code execution.
+          Unauthenticated users can execute a terminal command under the context of the web server user.
+          Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages.
+          In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without
+          needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of
+          existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes,
+          such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability,
+          an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command
+          under the context of the web-server user.</description>
+
+  <type>web</type>
+  <privilege>user_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>medium</difficulty>
+
+  <read_fact>server_name</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+
+  <default_input into="strings_to_leak">
+    <generator type="message_generator" />
+  </default_input>
+
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator" />
+  </default_input>
+
+  <reference>
+    https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/gravcms_exec.rb
+  </reference>
+</vulnerability>